Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Okta credentials

PDF
RSS
Focus mode
Okta credentials - Amazon Athena
Credentials providerUserPasswordOkta host nameOkta application IDOkta application nameOkta MFA typeOkta phone numberOkta MFA wait timePreferred roleRole session durationLake Formation enabled

A SAML-based authentication mechanism that enables authentication to Athena using the Okta identity provider. This method assumes that a federation has already been set up between Athena and Okta.

Credentials provider

The credentials provider that will be used to authenticate requests to AWS. Set the value of this parameter to Okta.

Parameter name Alias Parameter type Default value Value to use
CredentialsProvider AWSCredentialsProviderClass (deprecated) Required none Okta

User

The email address of the Okta user to use for authentication with Okta.

Parameter name Alias Parameter type Default value
User UID (deprecated) Required none

Password

The password for the Okta user.

Parameter name Alias Parameter type Default value
Password PWD (deprecated) Required none

Okta host name

The URL for your Okta organization. You can extract the idp_host parameter from the Embed Link URL in your Okta application. For steps, see Retrieve ODBC configuration information from Okta. The first segment after https://, up to and including okta.com, is your IdP host (for example, trial-1234567.okta.com for a URL that starts with https://trial-1234567.okta.com).

Parameter name Alias Parameter type Default value
OktaHostName IdP_Host (deprecated) Required none

Okta application ID

The two-part identifier for your application. You can extract the application ID from the Embed Link URL in your Okta application. For steps, see Retrieve ODBC configuration information from Okta. The application ID is the last two segments of the URL, including the forward slash in the middle. The segments are two 20-character strings with a mix of numbers and upper and lowercase letters (for example, Abc1de2fghi3J45kL678/abc1defghij2klmNo3p4).

Parameter name Alias Parameter type Default value
OktaAppId App_ID (deprecated) Required none

Okta application name

The name of your Okta application.

Parameter name Alias Parameter type Default value
OktaAppName App_Name (deprecated) Required none

Okta MFA type

If you have set up Okta to require multi-factor authentication (MFA), you need to specify the Okta MFA type and additional parameters depending on the second factor that you want to use.

Okta MFA type is the second authentication factor type (after the password) to use to authenticate with Okta. Supported second factors include push notifications delivered through the Okta Verify app and temporary one-time passwords (TOTPs) generated by Okta Verify, Google Authenticator, or sent through SMS. Individual organization security policies determine whether or not MFA is required for user login.

Parameter name Alias Parameter type Default value Possible values
OktaMfaType okta_mfa_type (deprecated) Required, if Okta is set up to require MFA none oktaverifywithpush, oktaverifywithtotp, googleauthenticator, smsauthentication

Okta phone number

The phone number to which Okta will send a temporary one-time password using SMS when the smsauthentication MFA type is chosen. The phone number must be a US or Canadian phone number.

Parameter name Alias Parameter type Default value
OktaPhoneNumber okta_phone_number (deprecated) Required, if OktaMfaType is smsauthentication none

Okta MFA wait time

The duration, in seconds, to wait for the user to acknowledge a push notification from Okta before the driver throws a timeout exception.

Parameter name Alias Parameter type Default value
OktaMfaWaitTime okta_mfa_wait_time (deprecated) Optional 60

Preferred role

The Amazon Resource Name (ARN) of the role to assume. For information about ARN roles, see AssumeRole in the AWS Security Token Service API Reference.

Parameter name Alias Parameter type Default value
PreferredRole preferred_role (deprecated) Optional none

Role session duration

The duration, in seconds, of the role session. For more information, see AssumeRole in the AWS Security Token Service API Reference.

Parameter name Alias Parameter type Default value
RoleSessionDuration Duration (deprecated) Optional 3600

Lake Formation enabled

Specifies whether to use the AssumeDecoratedRoleWithSAML Lake Formation API action to retrieve temporary IAM credentials instead of the AssumeRoleWithSAML AWS STS API action.

Parameter name Alias Parameter type Default value
LakeFormationEnabled none Optional FALSE

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.