Browser SAML - Amazon Athena
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Browser SAML

Browser SAML is a generic authentication plugin that can work with SAML based identity providers and support multi-factor authentication. For detailed configuration information, see Configuring single sign-on using ODBC, SAML 2.0, and the Okta Identity Provider.

Authentication type

Connection string name Parameter type Default value Connection string example
AuthenticationType Required IAM Credentials AuthenticationType=BrowserSAML;

Preferred role

The Amazon Resource Name (ARN) of the role to assume. If your SAML assertion has multiple roles, you can specify this parameter to choose the role to be assumed. This role should be present in the SAML assertion. For more information about ARN roles, see AssumeRole in the Amazon Security Token Service API Reference.

Connection string name Parameter type Default value Connection string example
preferred_role Optional none preferred_role=arn:aws:IAM::123456789012:id/user1;

Session duration

The duration, in seconds, of the role session. For more information, see AssumeRole in the Amazon Security Token Service API Reference.

Connection string name Parameter type Default value Connection string example
duration Optional 900 duration=900;

Login URL

The single sign-on URL that is displayed for your application.

Connection string name Parameter type Default value Connection string example
login_url Required none login_url=https://trial-1234567.okta.com/app/trial-1234567_oktabrowsersaml_1/zzz4izzzAzDFBzZz1234/sso/saml;

Listen port

The port number that is used to listen for the SAML response. This value should match the IAM Identity Center URL that you configured the IdP with (for example, http://localhost:7890/athena).

Connection string name Parameter type Default value Connection string example
listen_port Optional 7890 listen_port=7890;

Timeout

The duration, in seconds, before the plugin stops waiting for the SAML response from the identity provider.

Connection string name Parameter type Default value Connection string example
timeout Optional 120 timeout=90;