You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/using-the-aws-odbc-wrapper/plugins/okta-authentication-plugin.md
+24-20Lines changed: 24 additions & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,29 +14,33 @@ When a user wants access to a resource, it authenticates with the IdP. From this
14
14
15
15
1. Follow steps in [Enable AWS IAM Database Authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Enabling.html) to setup IAM authentication.
16
16
2. Configure Okta as the AWS identity provider following [Okta's official documentation](https://help.okta.com/en-us/content/topics/deploymentguides/aws/aws-deployment.htm)
17
+
3. (Optional) Enable MFA. MFA through Okta Verify is supported for the Push and OTP methods. Please ensure the authentication policies and/or global session policies have been configured to use MFA.
17
18
18
19
### Connection String / DSN Configuration for Okta Authentication Plugin Support
19
20
20
-
| Field | Connection Option Key | Value | Default Value | Sample Value |
| Authentication Type |`RDS_AUTH_TYPE`| Must be `OKTA`. |`database`|`OKTA`|
23
-
| Server |`SERVER`| Database instance server host. | nil |`database.us-east-1-rds.amazon.com`|
24
-
| Port |`PORT`| Port that the database is listening on. | nil | 5432 |
25
-
| User Name |`UID`| Database user name for IAM authentication. | nil |`iam_user`|
26
-
| IAM Host |`IAM_HOST`| The endpoint used to generate the authentication token. This is only required if you are connecting using custom endpoints such as an IP address. | nil |`database.us-east-1-rds.amazon.com`|
27
-
| Region |`REGION`| The region of the database for IAM authentication. |`us-east-1`|`us-east-1`|
28
-
| Database |`DATABASE`| Default database that a user will work on. | nil |`my_database`|
29
-
| Token Expiration |`TOKEN_EXPIRATION`| Token expiration in seconds, supported max value is 900. | 900 | 900 |
30
-
| IdP Endpoint |`IDP_ENDPOINT`| The ADFS host that is used to authenticate with. | nil |`my-adfs-host.com`|
31
-
| IdP Port |`IDP_PORT`| The ADFS host port. | 443 | 443 |
32
-
| IdP User Name |`IDP_USERNAME`| The user name for the IdP Endpoint server. | nil |`user@email.com`|
| Role ARN |`IDP_ROLE_ARN`| The ARN of the IAM Role that is to be assumed for database access. | nil |`arn:aws:iam::123412341234:role/ADFS-SAML-Assume`|
35
-
| IdP SAML Provider ARN |`IDP_SAML_ARN`| The ARN of the Identity Provider. | nil |`arn:aws:iam::123412341234:saml-provider/ADFS-AWS-IAM`|
36
-
| HTTP Socket Timeout |`HTTP_SOCKET_TIMEOUT`| The socket timeout value in milliseconds for the HttpClient reading. | 3000 | 3000 |
37
-
| HTTP Connect Timeout |`HTTP_CONNECT_TIMEOUT`| The connect timeout value in milliseconds for the HttpClient. | 5000 | 5000 |
38
-
| App ID |`APP_ID`| The application ID for AWS configured on. | nil |`my-app-id`|
39
-
| Extra URL Encode |`EXTRA_URL_ENCODE`| Generated tokens can have URL encoding prefix duplication for scenarios where underlying drivers automatically decode the URL before passing to the database for connections. |`0`|`1`|
21
+
| Field | Connection Option Key | Value | Default Value | Sample Value |
| Authentication Type |`RDS_AUTH_TYPE`| Must be `OKTA`. |`database`|`OKTA`|
24
+
| Server |`SERVER`| Database instance server host. | nil |`database.us-east-1-rds.amazon.com`|
25
+
| Port |`PORT`| Port that the database is listening on. | nil |`5432`|
26
+
| User Name |`UID`| Database user name for IAM authentication. | nil |`iam_user`|
27
+
| IAM Host |`IAM_HOST`| The endpoint used to generate the authentication token. This is only required if you are connecting using custom endpoints such as an IP address. | nil |`database.us-east-1-rds.amazon.com`|
28
+
| Region |`REGION`| The region of the database for IAM authentication. |`us-east-1`|`us-east-1`|
29
+
| Database |`DATABASE`| Default database that a user will work on. | nil |`my_database`|
30
+
| Token Expiration |`TOKEN_EXPIRATION`| Token expiration in seconds, supported max value is 900. |`900`|`900`|
31
+
| IdP Endpoint |`IDP_ENDPOINT`| The ADFS host that is used to authenticate with. | nil |`my-adfs-host.com`|
32
+
| IdP Port |`IDP_PORT`| The ADFS host port. |`443`|`443`|
33
+
| IdP User Name |`IDP_USERNAME`| The user name for the IdP Endpoint server. | nil |`user@email.com`|
| Role ARN |`IDP_ROLE_ARN`| The ARN of the IAM Role that is to be assumed for database access. | nil |`arn:aws:iam::123412341234:role/ADFS-SAML-Assume`|
36
+
| IdP SAML Provider ARN |`IDP_SAML_ARN`| The ARN of the Identity Provider. | nil |`arn:aws:iam::123412341234:saml-provider/ADFS-AWS-IAM`|
37
+
| HTTP Socket Timeout |`HTTP_SOCKET_TIMEOUT`| The socket timeout value in milliseconds for the HttpClient reading. |`3000`|`3000`|
38
+
| HTTP Connect Timeout |`HTTP_CONNECT_TIMEOUT`| The connect timeout value in milliseconds for the HttpClient. |`5000`|`5000`|
39
+
| App ID |`APP_ID`| The application ID for AWS configured on. | nil |`my-app-id`|
40
+
| Extra URL Encode |`EXTRA_URL_ENCODE`| Generated tokens can have URL encoding prefix duplication for scenarios where underlying drivers automatically decode the URL before passing to the database for connections. |`0`|`1`|
41
+
| MFA Type |`MFA_TYPE`| The MFA type the user specifies. The available options are: `TOTP`, `PUSH`. **Note**: the `TOTP` type requires a web browser to be used. | nil |`TOTP`|
42
+
| MFA Port |`MFA_PORT`| The port used to connect to `127.0.0.1` to provide the one time code when using TOTP as the MFA Type. |`8080`|`8000`|
43
+
| MFA Timeout |`MFA_TIMEOUT`| The time in seconds to complete the MFA challenge before the connection fails. |`60`|`30`|
40
44
41
45
> [!WARNING]\
42
46
> Using IAM Authentication, connections to the database must have SSL enabled. Please refer to the underlying driver's specifications to enable this.
0 commit comments