# Athena ODBC 1.x driver
<a name="connect-with-odbc-driver-and-documentation-download-links"></a>

You can use an ODBC connection to connect to Athena from third-party SQL client tools and applications. Use the links on this page to download the Amazon Athena 1.x ODBC driver License Agreement, ODBC drivers, and ODBC documentation. For information about the ODBC connection string, see the ODBC Driver Installation and Configuration Guide PDF file, downloadable from this page. For permissions information, see [Control access through JDBC and ODBC connections](policy-actions.md).

**Important**  
When you use the ODBC 1.x driver, be sure to note the following requirements:  
**Open port 444** – Keep port 444, which Athena uses to stream query results, open to outbound traffic. When you use a PrivateLink endpoint to connect to Athena, ensure that the security group attached to the PrivateLink endpoint is open to inbound traffic on port 444. 
**athena:GetQueryResultsStream policy** – Add the `athena:GetQueryResultsStream` policy action to the IAM principals that use the ODBC driver. This policy action is not exposed directly with the API. It is used only with the ODBC and JDBC drivers as part of streaming results support. For an example policy, see [AWS managed policy: AWSQuicksightAthenaAccess](security-iam-awsmanpol.md#awsquicksightathenaaccess-managed-policy). 

## Windows
<a name="connect-with-odbc-windows"></a>


| Driver version | Download link | 
| --- | --- | 
| ODBC 1.2.3.1000 for Windows 32-bit | [Windows 32 bit ODBC driver 1.2.3.1000](https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/SimbaAthenaODBC_1.2.3.1000/Windows/SimbaAthena_1.2.3.1000_32-bit.msi) | 
| ODBC 1.2.3.1000 for Windows 64-bit | [Windows 64 bit ODBC driver 1.2.3.1000](https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/SimbaAthenaODBC_1.2.3.1000/Windows/SimbaAthena_1.2.3.1000_64-bit.msi) | 

## Linux
<a name="connect-with-odbc-linux"></a>


| Driver version | Download link | 
| --- | --- | 
| ODBC 1.2.3.1000 for Linux 32-bit | [Linux 32 bit ODBC driver 1.2.3.1000](https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/SimbaAthenaODBC_1.2.3.1000/Linux/simbaathena-1.2.3.1000-1.el7.i686.rpm) | 
| ODBC 1.2.3.1000 for Linux 64-bit | [Linux 64 bit ODBC driver 1.2.3.1000](https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/SimbaAthenaODBC_1.2.3.1000/Linux/simbaathena-1.2.3.1000-1.el7.x86_64.rpm) | 

## OSX
<a name="connect-with-odbc-osx"></a>


| Driver version | Download link | 
| --- | --- | 
| ODBC 1.2.3.1000 for OSX | [OSX ODBC driver 1.2.3.1000](https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/SimbaAthenaODBC_1.2.3.1000/OSX/SimbaAthena_1.2.3.1000.dmg) | 

## Documentation
<a name="connect-with-odbc-driver-documentation"></a>


| Content | Documentation link | 
| --- | --- | 
| Amazon Athena ODBC driver license agreement |  [License agreement](https://downloads.athena.us-east-1.amazonaws.com/agreement/ODBC/Amazon+Athena+ODBC+Driver+License+Agreement.pdf)  | 
| Documentation for ODBC 1.2.3.1000 | [ODBC driver installation and configuration guide version 1.2.3.1000](https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/SimbaAthenaODBC_1.2.3.1000/docs/Simba+Amazon+Athena+ODBC+Connector+Install+and+Configuration+Guide.pdf) | 
| Release Notes for ODBC 1.2.3.1000 | [ODBC driver release notes version 1.2.3.1000](https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/SimbaAthenaODBC_1.2.3.1000/docs/release-notes.txt) | 

## ODBC driver notes
<a name="connect-with-odbc-configuration"></a>

**Connecting Without Using a Proxy**  
If you want to specify certain hosts that the driver connects to without using a proxy, you can use the optional `NonProxyHost` property in your ODBC connection string.

The `NonProxyHost` property specifies a comma-separated list of hosts that the connector can access without going through the proxy server when a proxy connection is enabled, as in the following example:

```
.amazonaws.com,localhost,.example.net,.example.com
```

The `NonProxyHost` connection parameter is passed to the `CURLOPT_NOPROXY` curl option. For information about the `CURLOPT_NOPROXY` format, see [CURLOPT\$1NOPROXY](https://curl.se/libcurl/c/CURLOPT_NOPROXY.html) in the curl documentation. 

# Configure federated access to Amazon Athena for Microsoft AD FS users using an ODBC client
<a name="odbc-adfs-saml"></a>

To set up federated access to Amazon Athena for Microsoft Active Directory Federation Services (AD FS) users using an ODBC client, you first establish trust between AD FS and your AWS account. With this trust in place, your AD users can [federate](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html#CreatingSAML-configuring-IdP) into AWS using their AD credentials and assume permissions of an [AWS Identity and Access Management](https://aws.amazon.com/iam/) (IAM) role to access AWS resources such as the Athena API.

To create this trust, you add AD FS as a SAML provider to your AWS account and create an IAM role that federated users can assume. On the AD FS side, you add AWS as a relying party and write SAML claim rules to send the right user attributes to AWS for authorization (specifically, Athena and Amazon S3).

Configuring AD FS access to Athena involves the following major steps:

[1. Setting up an IAM SAML provider and role](#odbc-adfs-saml-setting-up-an-iam-saml-provider-and-role)

[2. Configuring AD FS](#odbc-adfs-saml-configuring-ad-fs)

[3. Creating Active Directory users and groups](#odbc-adfs-saml-creating-active-directory-users-and-groups)

[4. Configuring the AD FS ODBC connection to Athena](#odbc-adfs-saml-configuring-the-ad-fs-odbc-connection-to-athena)

## 1. Setting up an IAM SAML provider and role
<a name="odbc-adfs-saml-setting-up-an-iam-saml-provider-and-role"></a>

In this section, you add AD FS as a SAML provider to your AWS account and create an IAM role that your federated users can assume.

**To set up a SAML provider**

1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. In the navigation pane, choose **Identity providers**.

1. Choose **Add provider**.

1. For **Provider type**, choose **SAML**.  
![\[Choose SAML.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-1.png)

1. For **Provider name**, enter **adfs-saml-provider**.

1. In a browser, enter the following address to download the federation XML file for your AD FS server. To perform this step, your browser must have access to the AD FS server.

   ```
   https://adfs-server-name/federationmetadata/2007-06/federationmetadata.xml       
   ```

1. In the IAM console, for **Metadata document**, choose **Choose file**, and then upload the federation metadata file to AWS.

1. To finish, choose **Add provider**.

Next, you create the IAM role that your federated users can assume.

**To create an IAM role for federated users**

1. In the IAM console navigation pane, choose **Roles**.

1. Choose **Create role**.

1. For **Trusted entity type**, choose **SAML 2.0 federation**.

1. For **SAML 2.0-based provider**, choose the **adfs-saml-provider** provider that you created.

1. Choose **Allow programmatic and AWS Management Console access**, and then choose **Next**.  
![\[Choosing SAML as the trusted entity type.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-2.png)

1. On the **Add permissions** page, filter for the IAM permissions policies that you require for this role, and then select the corresponding check boxes. This tutorial attaches the `AmazonAthenaFullAccess` and `AmazonS3FullAccess` policies.  
![\[Attaching the Athena full access policy to the role.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-3.png)  
![\[Attaching the Amazon S3 full access policy to the role.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-4.png)

1. Choose **Next**.

1. On the **Name, review, and create** page, for **Role name**, enter a name for the role. This tutorial uses the name **adfs-data-access**.

   In **Step 1: Select trusted entities**, the **Principal** field should be automatically populated with `"Federated:" "arn:aws:iam::account_id:saml-provider/adfs-saml-provider"`. The `Condition` field should contain `"SAML:aud"` and `"https://signin.aws.amazon.com/saml"`.  
![\[Trusted entities JSON.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-5.png)

   **Step 2: Add permissions** shows the policies that you have attached to the role.  
![\[List of policies attached to the role.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-6.png)

1. Choose **Create role**. A banner message confirms creation of the role.

1. On the **Roles** page, choose the name of the role that you just created. The summary page for the role shows the policies that have been attached.  
![\[Summary page for the role.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-7.png)

## 2. Configuring AD FS
<a name="odbc-adfs-saml-configuring-ad-fs"></a>

Now you are ready to add AWS as a relying party and write SAML claim rules so that you can send the right user attributes to AWS for authorization.

SAML-based federation has two participant parties: the IdP (Active Directory) and the relying party (AWS), which is the service or application that uses authentication from the IdP.

To configure AD FS, you first add a relying party trust, then you configure SAML claim rules for the relying party. AD FS uses claim rules to form a SAML assertion that is sent to a relying party. The SAML assertion states that the information about the AD user is true, and that it has authenticated the user.

### Adding a relying party trust
<a name="odbc-adfs-saml-adding-a-relying-party-trust"></a>

To add a relying party trust in AD FS, you use the AD FS server manager.

**To add a relying party trust in AD FS**

1. Sign in to the AD FS server.

1. On the **Start** menu, open **Server Manager**.

1. Choose **Tools**, and then choose **AD FS Management**.  
![\[Choose Tools, AD FS Management.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-8.png)

1. In the navigation pane, under **Trust Relationships**, choose **Relying Party Trusts**.

1. Under **Actions**, choose **Add Relying Party Trust**.  
![\[Choose Add Relying Party Trust.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-9.png)

1. On the **Add Relying Party Trust Wizard** page, choose **Start**.  
![\[Choose Start.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-10.png)

1. On the **Select Data Source** screen, select the option **Import data about the relying party published online or on a local network**.

1. For **Federation metadata address (host name or URL)**, enter the URL ** https://signin.aws.amazon.com/static/saml-metadata.xml**

1. Choose **Next.**  
![\[Configuring the data source.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-11.png)

1. On the **Specify Display Name** page, for **Display name**, enter a display name for your relying party, and then choose **Next**.  
![\[Enter a display name for the relying party.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-12.png)

1. On the **Configure Multi-factor Authentication Now** page, this tutorial selects **I do not want to configure multi-factor authentication for this relying party trust at this time**.

   For increased security, we recommend that you configure multi-factor authentication to help protect your AWS resources. Because it uses a sample dataset, this tutorial doesn't enable multi-factor authentication.  
![\[Configuring multi-factor authentication.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-13.png)

1. Choose **Next**.

1. On the **Choose Issuance Authorization Rules** page, select **Permit all users to access this relying party**.

   This option allows all users in Active Directory to use AD FS with AWS as a relying party. You should consider your security requirements and adjust this configuration accordingly.  
![\[Configuring user access to the relying party.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-14.png)

1. Choose **Next**.

1. On the **Ready to Add Trust** page, choose **Next** to add the relying party trust to the AD FS configuration database.  
![\[Choose Next.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-15.png)

1. On the **Finish** page, choose **Close**.  
![\[Choose Close.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-16.png)

### Configuring SAML claim rules for the relying party
<a name="odbc-adfs-saml-configuring-saml-claim-rules-for-the-relying-party"></a>

In this task, you create two sets of claim rules.

The first set, rules 1–4, contains AD FS claim rules that are required to assume an IAM role based on AD group membership. These are the same rules that you create if you want to establish federated access to the [AWS Management Console](http://aws.amazon.com/console).

The second set, rules 5–6, are claim rules required for Athena access control.

**To create AD FS claim rules**

1. In the AD FS Management console navigation pane, choose **Trust Relationships**, **Relying Party Trusts**.

1. Find the relying party that you created in the previous section.

1. Right-click the relying party and choose **Edit Claim Rules**, or choose **Edit Claim Rules** from the **Actions** menu.  
![\[Choose Edit Claim Rules.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-17.png)

1. Choose **Add Rule.**

1. On the **Configure Rule** page of the Add Transform Claim Rule Wizard, enter the following information to create claim rule 1, and then choose **Finish**.
   + For **Claim Rule name**, enter **NameID**.
   + For **Rule template**, use **Transform an Incoming Claim**.
   + For **Incoming claim type**, choose **Windows account name**.
   + For **Outgoing claim type**, choose **Name ID**.
   + For **Outgoing name ID format**, choose **Persistent Identifier**.
   + Select **Pass through all claim values**.  
![\[Create the first claim rule.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-18.png)

1. Choose **Add Rule**, and then enter the following information to create claim rule 2, and then choose **Finish**.
   + For **Claim rule name**, enter **RoleSessionName**.
   + For **Rule template**, use **Send LDAP Attribute as Claims**.
   + For **Attribute store**, choose **Active Directory**.
   + For **Mapping of LDAP attributes to outgoing claim types**, add the attribute **E-Mail-Addresses**. For the **Outgoing Claim Type**, enter ** https://aws.amazon.com/SAML/Attributes/RoleSessionName**.  
![\[Create the second claim rule.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-19.png)

1. Choose **Add Rule**, and then enter the following information to create claim rule 3, and then choose **Finish**.
   + For **Claim rule name**, enter **Get AD Groups**.
   + For **Rule template**, use **Send Claims Using a Custom Rule**.
   + For **Custom rule**, enter the following code:

     ```
     c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", 
      Issuer == "AD AUTHORITY"]=> add(store = "Active Directory", types = ("http://temp/variable"),  
      query = ";tokenGroups;{0}", param = c.Value);
     ```  
![\[Create the third claim rule.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-20.png)

1. Choose **Add Rule**. Enter the following information to create claim rule 4, and then choose **Finish**.
   + For **Claim rule name**, enter **Role**.
   + For **Rule template**, use **Send Claims Using a Custom Rule**.
   + For **Custom rule**, enter the following code with your account number and name of the SAML provider that you created earlier:

     ```
     c:[Type == "http://temp/variable", Value =~ "(?i)^aws-"]=> issue(Type = "https://aws.amazon.com/SAML/Attributes/Role",  
     Value = RegExReplace(c.Value, "aws-", "arn:aws:iam::AWS_ACCOUNT_NUMBER:saml-provider/adfs-saml-provider,arn:aws:iam:: AWS_ACCOUNT_NUMBER:role/"));
     ```  
![\[Create the fourth claim rule.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-21.png)

## 3. Creating Active Directory users and groups
<a name="odbc-adfs-saml-creating-active-directory-users-and-groups"></a>

Now you are ready to create AD users that will access Athena, and AD groups to place them in so that you can control levels of access by group. After you create AD groups that categorize patterns of data access, you add your users to those groups.

**To create AD users for access to Athena**

1. On the Server Manager dashboard, choose **Tools**, and then choose **Active Directory Users and Computers**.  
![\[Choose Tools, Active Directory Users and Computers.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-22.png)

1. In the navigation pane, choose **Users**.

1. On the **Active Directory Users and Computers** tool bar, choose the **Create user** option.  
![\[Choose Create user.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-23.png)

1. In the **New Object – User** dialog box, for **First name**, **Last name**, and **Full name**, enter a name. This tutorial uses **Jane Doe**.  
![\[Enter a user name.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-24.png)

1. Choose **Next**.

1. For **Password**, enter a password, and then retype to confirm.

   For simplicity, this tutorial deselects **User must change password at next sign on**. In real-world scenarios, you should require newly created users to change their password.  
![\[Enter a password.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-25.png)

1. Choose **Next**.

1. Choose **Finish.**  
![\[Choose Finish.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-26.png)

1. In **Active Directory Users and Computers**, choose the user name.

1. In the **Properties** dialog box for the user, for **E-mail**, enter an email address. This tutorial uses **jane@example.com**.  
![\[Enter an email address.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-27.png)

1. Choose **OK**.

### Create AD groups to represent data access patterns
<a name="odbc-adfs-saml-create-ad-groups-to-represent-data-access-patterns"></a>

You can create AD groups whose members assume the `adfs-data-access` IAM role when they log in to AWS. The following example creates an AD group called aws-adfs-data-access.

**To create an AD group**

1. On the Server Manager Dashboard, from the **Tools** menu, choose **Active Directory Users and Computers.**

1. On the tool bar, choose the **Create new group** option.  
![\[Choose Create new group.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-28.png)

1. In the **New Object - Group** dialog box, enter the following information:
   + For **Group name**, enter **aws-adfs-data-access**.
   + For **Group scope**, select **Global**.
   + For **Group type**, select **Security**.  
![\[Creating a global security group in AD.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-29.png)

1. Choose **OK**.

### Add AD users to appropriate groups
<a name="odbc-adfs-saml-add-ad-users-to-appropriate-groups"></a>

Now that you have created both an AD user and an AD group, you can add the user to the group.

**To add an AD user to an AD group**

1. On the Server Manager Dashboard, on the **Tools** menu, choose **Active Directory Users and Computers**.

1. For **First name** and **Last name**, choose a user (for example, **Jane Doe**).

1. In the **Properties** dialog box for the user, on the **Member Of** tab, choose **Add**.  
![\[Choose Add.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-30.png)

1. Add one or more AD FS groups according to your requirements. This tutorial adds the **aws-adfs-data-access** group.

1. In the **Select Groups** dialog box, for **Enter the object names to select**, enter the name of the AD FS group that you created (for example, **aws-adfs-data-access**), and then choose **Check Names**.  
![\[Choose Check Names.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-31.png)

1. Choose **OK**.

   In the **Properties** dialog box for the user, the name of the AD group appears in the **Member of** list.  
![\[AD group added to user properties.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-32.png)

1. Choose **Apply**, then choose **OK**.

## 4. Configuring the AD FS ODBC connection to Athena
<a name="odbc-adfs-saml-configuring-the-ad-fs-odbc-connection-to-athena"></a>

After you have created your AD users and groups, you are ready to use the ODBC Data Sources program in Windows to configure your Athena ODBC connection for AD FS.

**To configure the AD FS ODBC connection to Athena**

1. Install the ODBC driver for Athena. For download links, see [Connect to Amazon Athena with ODBC](connect-with-odbc.md).

1. In Windows, choose **Start**, **ODBC Data Sources**.

1. In the **ODBC Data Source Administrator** program, choose **Add**.  
![\[Choose Add to add an ODBC data source.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-33.png)

1. In the **Create New Data Source** dialog box, choose **Simba Athena ODBC Driver**, and then choose **Finish**.  
![\[Choose Simba Athena ODBC Driver.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-34.png)

1. In the **Simba Athena ODBC Driver DSN Setup** dialog box, enter the following values:
   + For **Data Source Name,** enter a name for your data source (for example, ** Athena-odbc-test**).
   + For **Description**, enter a description for your data source.
   + For **AWS Region**, enter the AWS Region that you are using (for example, ** us-west-1**).
   + For **S3 Output Location**, enter the Amazon S3 path where you want your output to be stored.  
![\[Entering values for Simba Athena ODBC Driver DSN Setup.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-35.png)

1. Choose **Authentication Options**.

1. In the **Authentication Options** dialog box, specify the following values:
   + For **Authentication Type**, choose **ADFS**.
   + For **User,** enter the user's email address (for example, **jane@example.com**).
   + For **Password**, enter the user's ADFS password.
   + For **IdP Host**, enter the AD FS server name (for example, **adfs.example.com**).
   + For **IdP Port**, use the default value **443**.
   + Select the **SSL Insecure** option.  
![\[Configuring authentication options.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-adfs-saml-37.png)

1. Choose **OK** to close **Authentication Options**.

1. Choose **Test** to test the connection, or **OK** to finish.

# Configure SSO for ODBC using the Okta plugin and Okta Identity Provider
<a name="odbc-okta-plugin"></a>

This page describes how to configure the Amazon Athena ODBC driver and Okta plugin to add single sign-on (SSO) capability using the Okta identity provider.

## Prerequisites
<a name="odbc-okta-plugin-prerequisites"></a>

Completing the steps in this tutorial requires the following:
+ Amazon Athena ODBC driver. For download links, see [Connect to Amazon Athena with ODBC](connect-with-odbc.md).
+ An IAM Role that you want to use with SAML. For more information, see [Creating a role for SAML 2.0 federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html) in the *IAM User Guide*.
+ An Okta account. For information, visit [Okta.com](https://www.okta.com/).

## Creating an app integration in Okta
<a name="odbc-okta-plugin-creating-an-app-integration-in-okta"></a>

First, use the Okta dashboard to create and configure a SAML 2.0 app for single sign-on to Athena. You can use an existing Redshift application in Okta to configure access to Athena.

**To create an app integration in Okta**

1. Log in to the admin page for your account on [Okta.com](https://www.okta.com/).

1. In the navigation panel, choose **Applications**, **Applications.**

1. On the **Applications** page, choose **Browse App Catalog.**

1. On the **Browse App Integration Catalog** page, in the **Use Case** section, choose **All Integrations**.

1. In the search box, enter **Amazon Web Services Redshift**, and then choose **Amazon Web Services Redshift SAML**.

1. Choose **Add Integration**.  
![\[Choose Add integration.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-okta-plugin-1.png)

1. In the **General Settings Required** section, for **Application label**, enter a name for the application. This tutorial uses the name **Athena-ODBC-Okta.**  
![\[Enter a name for the Okta application.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-okta-plugin-2.png)

1. Choose **Done**.

1. On the page for your Okta application (for example, **Athena-ODBC-Okta**), choose **Sign On**.  
![\[Choose the Sign On tab.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-okta-plugin-3.png)

1. In the **Settings** section, choose **Edit**.  
![\[Choose Edit.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-okta-plugin-4.png)

1. In the **Advanced Sign-on Settings** section, configure the following values.
   + For **IdP ARN and Role ARN**, enter your AWS IDP ARN and Role ARN as comma-separated values. For information about the IAM role format, see [Configuring SAML assertions for the authentication response](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html) in the *IAM User Guide*.
   + For **Session Duration**, enter a value between 900 and 43200 seconds. This tutorial uses the default of 3600 (1 hour).  
![\[Enter advanced sign-on settings.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-okta-plugin-5.png)

   The **DbUser Format**, **AutoCreate**, and **Allowed DBGroups** settings aren't used by Athena. You don't have to configure them.

1. Choose **Save**.

## Retrieve ODBC configuration information from Okta
<a name="odbc-okta-plugin-retrieve-odbc-configuration-information-from-okta"></a>

Now that you created the Okta application, you're ready to retrieve the application's ID and IdP host URL. You will require these later when you configure ODBC for connection to Athena.

**To retrieve configuration information for ODBC from Okta**

1. Choose the **General** tab of your Okta application, and then scroll down to the **App Embed Link** section.  
![\[The embed link URL of the Okta application.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-okta-plugin-6.png)

   Your **Embed Link** URL is in the following format:

   ```
   https://trial-1234567.okta.com/home/amazon_aws_redshift/Abc1de2fghi3J45kL678/abc1defghij2klmNo3p4
   ```

1. From your **Embed Link** URL, extract and save the following pieces:
   + The first segment after `https://`, up to and including `okta.com` (for example, **trial-1234567.okta.com**). This is your IdP host.
   + The last two segments of the URL, including the forward slash in the middle. The segments are two 20-character strings with a mix of numbers and upper and lowercase letters (for example, **Abc1de2fghi3J45kL678/abc1defghij2klmNo3p4**). This is your application ID.

## Add a user to the Okta application
<a name="odbc-okta-plugin-add-a-user-to-the-okta-application"></a>

Now you're ready to add a user to your Okta application.

**To add a user to the Okta application**

1. In the left navigation pane, choose **Directory**, and then choose **People**.

1. Choose **Add person**.  
![\[Choose Add person.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-okta-plugin-7.png)

1. In the **Add Person** dialog box, enter the following information.
   + Enter values for **First name** and **Last name**. This tutorial uses **test user**.
   + Enter values for **Username** and **Primary email**. This tutorial uses **test@amazon.com** for both. Your security requirements for passwords might vary.  
![\[Enter user credentials.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-okta-plugin-8.png)

1. Choose **Save**.

Now you're ready to assign the user that you created to your application.

**To assign the user to your application:**

1. In the navigation pane, choose **Applications**, **Applications**, and then choose the name of your application (for example, **Athena-ODBC-Okta**).

1. Choose **Assign,** and then choose **Assign to People**.  
![\[Choose Assign to People.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-okta-plugin-9.png)

1. Choose the **Assign** option for your user, and then choose **Done**.  
![\[Choose Assign, and then choose Done.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-okta-plugin-10.png)

1. At the prompt, choose **Save and Go Back**. The dialog box shows the user's status as **Assigned**.

1. Choose **Done**.

1. Choose the **Sign On** tab.

1. Scroll down to the **SAML Signing Certificates** section.

1. Choose **Actions**.

1. Open the context (right-click) menu for **View IdP metadata**, and then choose the browser option to save the file.

1. Save the file with an `.xml` extension.  
![\[Saving IdP metadata to a local XML file.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-okta-plugin-11.png)

## Create an AWS SAML Identity Provider and Role
<a name="odbc-okta-plugin-create-an-aws-saml-identity-provider-and-role"></a>

Now you are ready to upload the metadata XML file to the IAM console in AWS. You will use this file to create an AWS SAML identity provider and role. Use an AWS Services administrator account to perform these steps.

**To create a SAML identity provider and role in AWS**

1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/IAM/](https://console.aws.amazon.com/IAM/).

1. In the navigation pane, choose **Identity providers**, and then choose **Add provider**.  
![\[Choose Add provider.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-okta-plugin-12.png)

1. On the **Add an Identity provider** page, for **Configure provider**, enter the following information.
   + For **Provider type**, choose **SAML**.
   + For **Provider name**, enter a name for your provider (for example, ** AthenaODBCOkta**).
   + For **Metadata document**, use the **Choose file** option to upload the identity provider (IdP) metadata XML file that you downloaded.  
![\[Enter information for the identity provider.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-okta-plugin-13.png)

1. Choose **Add provider**.

### Creating an IAM role for Athena and Amazon S3 access
<a name="odbc-okta-plugin-creating-an-iam-role-for-athena-and-amazon-s3-access"></a>

Now you are ready to create an IAM role for Athena and Amazon S3 access. You will assign this role to your user. That way, you can provide the user with single sign-on access to Athena.

**To create an IAM role for your user**

1. In the IAM console navigation pane, choose **Roles**, and then choose **Create role**.  
![\[Choose Create role.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-okta-plugin-14.png)

1. On the **Create role** page, choose the following options:
   + For **Select type of trusted entity**, choose **SAML 2.0 Federation.**
   + For **SAML 2.0–based provider**, choose the SAML identity provider that you created (for example, **AthenaODBCOkta**).
   + Select **Allow programmatic and AWS Management Console access**.  
![\[Choose options on the Create role page.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-okta-plugin-15.png)

1. Choose **Next**.

1. On the **Add Permissions** page, for **Filter policies**, enter **AthenaFull**, and then press ENTER.

1. Select the `AmazonAthenaFullAccess` managed policy, and then choose **Next**.  
![\[Choose the AmazonAthenaFullAccess managed policy.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-okta-plugin-16.png)

1. On the **Name, review, and create** page, for **Role name**, enter a name for the role (for example, **Athena-ODBC-OktaRole**), and then choose **Create role**.

## Configuring the Okta ODBC connection to Athena
<a name="odbc-okta-plugin-configuring-the-okta-odbc-connection-to-athena"></a>

Now you're ready to configure the Okta ODBC connection to Athena using the ODBC Data Sources program in Windows.

**To configure your Okta ODBC connection to Athena**

1. In Windows, launch the **ODBC Data Sources** program.

1. In the **ODBC Data Source Administrator** program, choose **Add**.  
![\[Choose Add.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-okta-plugin-17.png)

1. Choose **Simba Athena ODBC Driver**, and then choose **Finish**.  
![\[Choose the Athena ODBC driver.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-okta-plugin-18.png)

1. In the **Simba Athena ODBC Driver DSN Setup** dialog, enter the values described.
   + For **Data Source Name,** enter a name for your data source (for example, **Athena ODBC 64**).
   + For **Description**, enter a description for your data source.
   + For **AWS Region**, enter the AWS Region that you're using (for example, **us-west-1**).
   + For **S3 Output Location**, enter the Amazon S3 path where you want your output to be stored.  
![\[Enter values for the data source name setup.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-okta-plugin-19.png)

1. Choose **Authentication Options**.

1. In the **Authentication Options** dialog box, choose or enter the following values.
   + For **Authentication Type**, choose **Okta**.
   + For **User**, enter your Okta user name.
   + For **Password**, enter your Okta password.
   + For **IdP Host**, enter the value that you recorded earlier (for example, **trial-1234567.okta.com**).
   + For **IdP Port**, enter **443**.
   + For **App ID**, enter the value that you recorded earlier (the last two segments of your Okta embed link).
   + For **Okta App Name**, enter **amazon\$1aws\$1redshift**.  
![\[Enter the authentication options.\]](http://docs.aws.amazon.com/athena/latest/ug/images/odbc-okta-plugin-20.png)

1. Choose **OK**.

1. Choose **Test** to test the connection or **OK** to finish.

# Configure single sign-on using ODBC, SAML 2.0, and the Okta Identity Provider
<a name="okta-saml-sso"></a>

To connect to data sources, you can use Amazon Athena with identity providers (IdPs) like PingOne, Okta, OneLogin, and others. Starting with Athena ODBC driver version 1.1.13 and Athena JDBC driver version 2.0.25, a browser SAML plugin is included that you can configure to work with any SAML 2.0 provider. This topic shows you how to configure the Amazon Athena ODBC driver and the browser-based SAML plugin to add single sign-on (SSO) capability using the Okta identity provider.

## Prerequisites
<a name="okta-saml-sso-prerequisites"></a>

Completing the steps in this tutorial requires the following:
+ Athena ODBC driver version 1.1.13 or later. Versions 1.1.13 and later include browser SAML support. For download links, see [Connecting to Amazon Athena with ODBC](https://docs.aws.amazon.com/athena/latest/ug/connect-with-odbc.html).
+ An IAM Role that you want to use with SAML. For more information, see [Creating a role for SAML 2.0 federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html) in the *IAM User Guide*.
+ An Okta account. For information, visit [okta.com](https://www.okta.com/).

## Creating an app integration in Okta
<a name="okta-saml-sso-creating-an-app-integration-in-okta"></a>

First, use the Okta dashboard to create and configure a SAML 2.0 app for single sign-on to Athena.

**To use the Okta dashboard to set up single sign-on for Athena**

1. Login to the Okta admin page on `okta.com`.

1. In the navigation pane, choose **Applications**, **Applications**.

1. On the **Applications** page, choose **Create App Integration**.  
![\[Choose Create App Integration.\]](http://docs.aws.amazon.com/athena/latest/ug/images/okta-saml-sso-1.png)

1. In the **Create a new app integration** dialog box, for **Sign-in method**, select **SAML 2.0**, and then choose **Next**.  
![\[Choose SAML 2.0\]](http://docs.aws.amazon.com/athena/latest/ug/images/okta-saml-sso-2.png)

1. On the **Create SAML Integration** page, in the **General Settings** section, enter a name for the application. This tutorial uses the name **Athena SSO**.  
![\[Enter a name for the Okta application.\]](http://docs.aws.amazon.com/athena/latest/ug/images/okta-saml-sso-3.png)

1. Choose **Next**.

1. On the **Configure SAML** page, in the **SAML Settings** section, enter the following values:
   + For **Single sign on URL**, enter **http://localhost:7890/athena**
   + For **Audience URI**, enter **urn:amazon:webservices**  
![\[Enter SAML settings.\]](http://docs.aws.amazon.com/athena/latest/ug/images/okta-saml-sso-4.png)

1. For **Attribute Statements (optional)**, enter the following two name/value pairs. These are required mapping attributes.
   + For **Name**, enter the following URL:

     **https://aws.amazon.com/SAML/Attributes/Role**

     For **Value**, enter the name of your IAM role. For information about the IAM role format, see [Configuring SAML assertions for the authentication response](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html) in the *IAM User Guide*.
   + For **Name**, enter the following URL:

     **https://aws.amazon.com/SAML/Attributes/RoleSessionName**

     For **Value**, enter **user.email**.  
![\[Enter SAML attributes for Athena.\]](http://docs.aws.amazon.com/athena/latest/ug/images/okta-saml-sso-5.png)

1. Choose **Next**, and then choose **Finish**. 

   When Okta creates the application, it also creates your login URL, which you will retrieve next.

## Getting the login URL from the Okta dashboard
<a name="okta-saml-sso-getting-the-login-url-from-the-okta-dashboard"></a>

Now that your application has been created, you can obtain its login URL and other metadata from the Okta dashboard.

**To get the login URL from the Okta dashboard**

1. In the Okta navigation pane, choose **Applications**, **Applications**.

1. Choose the application for which you want to find the login URL (for example, **AthenaSSO**).

1. On the page for your application, choose **Sign On**.  
![\[Choose Sign On.\]](http://docs.aws.amazon.com/athena/latest/ug/images/okta-saml-sso-6.png)

1. Choose **View Setup Instructions**.  
![\[Choose View Setup Instructions.\]](http://docs.aws.amazon.com/athena/latest/ug/images/okta-saml-sso-7.png)

1. On the **How to Configure SAML 2.0 for Athena SSO** page, find the URL for **Identity Provider Issuer**. Some places in the Okta dashboard refer to this URL as the **SAML issuer ID**.  
![\[The value for Identity Provider Issuer.\]](http://docs.aws.amazon.com/athena/latest/ug/images/okta-saml-sso-8.png)

1. Copy or store the value for **Identity Provider Single Sign-On URL**. 

   In the next section, when you configure the ODBC connection, you will provide this value as the **Login URL** connection parameter for the browser SAML plugin.

## Configuring the browser SAML ODBC connection to Athena
<a name="okta-saml-sso-configuring-the-browser-saml-odbc-connection-to-athena"></a>

Now you are ready to configure the browser SAML connection to Athena using the ODBC Data Sources program in Windows.

**To configure the browser SAML ODBC connection to Athena**

1. In Windows, launch the **ODBC Data Sources** program.

1. In the **ODBC Data Source Administrator** program, choose **Add**.  
![\[Choose Add.\]](http://docs.aws.amazon.com/athena/latest/ug/images/okta-saml-sso-9.png)

1. Choose **Simba Athena ODBC Driver**, and then choose **Finish**.  
![\[Choose Simba Athena Driver\]](http://docs.aws.amazon.com/athena/latest/ug/images/okta-saml-sso-10.png)

1. In the **Simba Athena ODBC Driver DSN Setup** dialog, enter the values described.  
![\[Enter the DSN setup values.\]](http://docs.aws.amazon.com/athena/latest/ug/images/okta-saml-sso-11.png)
   + For **Data Source Name,** enter a name for your data source (for example, **Athena ODBC 64**).
   + For **Description**, enter a description for your data source.
   + For **AWS Region**, enter the AWS Region that you are using (for example, **us-west-1**).
   + For **S3 Output Location**, enter the Amazon S3 path where you want your output to be stored.

1. Choose **Authentication Options**.

1. In the **Authentication Options** dialog box, choose or enter the following values.  
![\[Enter authentication options.\]](http://docs.aws.amazon.com/athena/latest/ug/images/okta-saml-sso-12.png)
   + For **Authentication Type**, choose **BrowserSAML**.
   + For **Login URL**, enter the **Identity Provider Single Sign-On URL** that you obtained from the Okta dashboard.
   + For **Listen Port**, enter **7890**.
   + For **Timeout (sec)**, enter a connection timeout value in seconds.

1. Choose **OK** to close **Authentication Options**.

1. Choose **Test** to test the connection, or **OK** to finish.