Browser SSO OIDC credentials
Browser SSO OIDC is an authentication plugin that works with AWS IAM Identity Center. The plugin performs dynamic client registration with SSO OIDC, opens your default browser to the SSO authorization URL, receives the authorization code through a local callback server, exchanges it for an SSO access token, and uses that token to obtain temporary AWS credentials. The plugin uses the Authorization Code with PKCE flow.
For information on enabling and using IAM Identity Center, see Step 1: Enable IAM Identity Center in the AWS IAM Identity Center User Guide.
Note
This plugin is designed for single-user desktop environments. In shared environments like Windows Terminal Servers or Remote Desktop Services, system administrators are responsible for establishing and maintaining security boundaries between users.
Credentials provider
The credentials provider that will be used to authenticate requests to AWS. Set
the value of this parameter to BrowserSSOOIDC.
| Parameter name | Alias | Parameter type | Default value | Value to use |
|---|---|---|---|---|
| CredentialsProvider | AWSCredentialsProviderClass (deprecated) | Required | none | BrowserSSOOIDC |
IAM Identity Center start URL
The URL for the AWS access portal. The IAM Identity Center RegisterClient API action uses this value for the
issuerUrl parameter.
| Parameter name | Alias | Parameter type | Default value |
|---|---|---|---|
| SsoStartUrl | sso_oidc_start_url | Required | none |
IAM Identity Center region
The AWS Region where IAM Identity Center is configured. The SSOOIDCClient and
SSOClient use this value for the region parameter.
| Parameter name | Alias | Parameter type | Default value |
|---|---|---|---|
| SsoOidcRegion | sso_oidc_region | Required | none |
Account ID
The identifier for the AWS account that is assigned to the user. The IAM Identity Center GetRoleCredentials API action uses this value for the
accountId parameter.
| Parameter name | Alias | Parameter type | Default value |
|---|---|---|---|
| SsoOidcAccountId | sso_oidc_account_id | Required | none |
Role name
The friendly name of the role that is assigned to the user. The name that you specify
for this permission set appears in the AWS access portal as an available role. The
IAM Identity Center GetRoleCredentials API action uses this value for the
roleName parameter.
| Parameter name | Alias | Parameter type | Default value |
|---|---|---|---|
| SsoOidcRoleName | sso_oidc_role_name | Required | none |
Listen port
The local port number to use for the OAuth 2.0 callback server. This is used as
the redirect URI. You may need to allowlist this port on your network. The default
generated redirect URI is http://127.0.0.1:7890/oauth/callback.
Warning
In shared environments like Windows Terminal Servers or Remote Desktop Services, the loopback port (default: 7890) is shared among all users on the same machine. System administrators can mitigate potential port hijacking risks by:
-
Configuring different port numbers for different user groups
-
Using Windows security policies to restrict port access
-
Implementing network isolation between user sessions
| Parameter name | Alias | Parameter type | Default value |
|---|---|---|---|
| ListenPort | listen_port | Optional | 7890 |
Identity provider response timeout
The duration, in seconds, before the driver stops waiting for the SSO authorization response. The minimum value is 60 seconds.
| Parameter name | Alias | Parameter type | Default value |
|---|---|---|---|
| IdpResponseTimeout | idp_response_timeout | Optional | 120 |
Enable token caching
When enabled, allows the same SSO access token to be used across driver connections. This prevents SQL tools that create multiple driver connections from launching multiple browser windows.
| Parameter name | Alias | Parameter type | Default value |
|---|---|---|---|
| EnableTokenCaching | none | Optional | FALSE |
