Okta - Amazon Athena
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Okta

Okta is a SAML-based authentication plugin that works with the Okta identity provider. For information about configuring federation for Okta and Amazon Athena, see Configuring SSO for ODBC using the Okta plugin and Okta Identity Provider.

Authentication Type

Connection string name Parameter type Default value Connection string example
AuthenticationType Required IAM Credentials AuthenticationType=Okta;

User ID

Your Okta user name.

Connection string name Parameter type Default value Connection string example
UID Required none UID=jane.doe@org.com;

Password

Your Okta user password.

Connection string name Parameter type Default value Connection string example
PWD Required none PWD=oktauserpasswordexample;

Preferred role

The Amazon Resource Name (ARN) of the role to assume. For more information about ARN roles, see AssumeRole in the Amazon Security Token Service API Reference.

Connection string name Parameter type Default value Connection string example
preferred_role Optional none preferred_role=arn:aws:IAM::123456789012:id/user1;

Session duration

The duration, in seconds, of the role session. For more information, see AssumeRole in the Amazon Security Token Service API Reference.

Connection string name Parameter type Default value Connection string example
duration Optional 900 duration=900;

IdP host

The URL for your Okta organization. You can extract the idp_host parameter from the Embed Link URL in your Okta application. For steps, see Retrieve ODBC configuration information from Okta. The first segment after https://, up to and including okta.com is your IdP host (for example, http://trial-1234567.okta.com).

Connection string name Parameter type Default value Connection string example
idp_host Required None idp_host=dev-99999999.okta.com;

IdP port

The port number to use to connect to your IdP host.

Connection string name Parameter type Default value Connection string example
idp_port Required None idp_port=443;

Okta app ID

The two-part identifier for your application. You can extract the app_id parameter from the Embed Link URL in your Okta application. For steps, see Retrieve ODBC configuration information from Okta. The application ID is the last two segments of the URL, including the forward slash in the middle. The segments are two 20-character strings with a mix of numbers and upper and lowercase letters (for example, Abc1de2fghi3J45kL678/abc1defghij2klmNo3p4).

Connection string name Parameter type Default value Connection string example
app_id Required None app_id=0oa25kx8ze9A3example/alnexamplea0piaWa0g7;

Okta app name

The name of the Okta application.

Connection string name Parameter type Default value Connection string example
app_name Required None app_name=amazon_aws_redshift;

Okta wait time

Specifies the duration in seconds to wait for the multifactor authentication (MFA) code.

Connection string name Parameter type Default value Connection string example
okta_mfa_wait_time Optional 10 okta_mfa_wait_time=20;

Okta MFA type

The MFA factor type. Supported types are Google Authenticator, SMS (Okta), Okta Verify with Push, and Okta Verify with TOTP. Individual organization security policies determine whether or not MFA is required for user login.

Connection string name Parameter type Default value Possible values Connection string example
okta_mfa_type Optional None googleauthenticator, smsauthentication, oktaverifywithpush, oktaverifywithtotp okta_mfa_type=oktaverifywithpush;

Okta phone number

The phone number to use with Amazon SMS authentication. This parameter is required only for multifactor enrollment. If your mobile number is already enrolled, or if Amazon SMS authentication is not used by the security policy, you can ignore this field.

Connection string name Parameter type Default value Connection string example
okta_mfa_phone_number Required for MFA enrollment, optional otherwise None okta_mfa_phone_number=19991234567;

Enable Okta file cache

Enables a temporary credentials cache. This connection parameter enables temporary credentials to be cached and reused between the multiple processes opened by BI applications. Use this option to avoid the Okta API throttling limit.

Connection string name Parameter type Default value Connection string example
okta_cache Optional 0 okta_cache=1;