Additional properties required to connect to the identity provider in a semicolon-separated list.
Additional properties required to connect to the identity provider in a semicolon-separated list. SSOProperties is used in conjunction with the the AWSRoleARN and AWSPrincipalARN. The following section provides an example using the OKTA identity provider.
Set the AuthScheme to ADFS. The following connection properties need to be set:
- User: Set this to your ADFS username.
- Password: Set this to your ADFS password.
- SSOLoginURL: Set this to the login URL used by the SSO provider.
AuthScheme=ADFS; AWSRegion=Ireland; Useremail@example.com; Password=CH8WerW121235647iCa6; SSOLoginURL='https://adfs.domain.com'; AWSRoleArn=arn:aws:iam::1234:role/ADFS_SSO; AWSPrincipalArn=arn:aws:iam::1234:saml-provider/ADFSProvider;
To use the ADFS Integrated flow, specify the SSOLoginURL and leave the username and password empty.
Set the AuthScheme to Okta. The following connection properties are used to authenticate through Okta:
- User: Set to your Okta user.
- Password: Set to your Okta password.
- SSOLoginURL: Set to the login URL used by the SSO provider.
- using a trusted application or proxy that overrides the Okta client request
- configuring MFA
then you need to use combinations of SSOProperties input parameters to authenticate using Okta. Otherwise, you do not need to set any of these values.
In SSOProperties when required, set these input parameters:
- APIToken: When authenticating a user via a trusted application or proxy that overrides the Okta client request context, set this to the API Token the customer created from the Okta organization.
- MFAType: Set this if you have configured the MFA flow. Currently we support the following types: OktaVerify, Email, and SMS.
- MFAPassCode: Set this only if you have configured the MFA flow. If you set this to empty or an invalid value, the driver issues a one-time password challenge to your device or email. After the passcode is received, reopen the connection where the retrieved one-time password value is set to the MFAPassCode connection property.
- MFARememberDevice: Okta supports remembering devices when MFA is required. If remembering devices is allowed according to the configured authentication policies, the driver sends a device token to extend MFA authentication lifetime. This property is, by default, set to True. Set this to False only if you do not want MFA to be remembered.
Example connection string:
AuthScheme=Okta; AWSRegion=Ireland; Userfirstname.lastname@example.org; Password=CH8WerW121235647iCa6; SSOLoginURL='https://cdata-us.okta.com/home/amazon_aws/0oa35m8arsAL5f5NrE6NdA356/272'; SSOProperties='ApiToken=01230GGG2ceAnm_tPAf4MhiMELXZ0L0N1pAYrO1VR-hGQSf;'; AWSRoleArn=arn:aws:iam::1234:role/Okta_SSO; AWSPrincipalARN=arn:aws:iam::1234:saml-provider/OktaProvider;