# Okta credentials
A SAML-based authentication mechanism that enables authentication to Athena using the Okta identity provider. This method assumes that a federation has already been set up between Athena and Okta.
## Credentials provider
The credentials provider that will be used to authenticate requests to AWS. Set the value of this parameter to `Okta`.
****
| Parameter name | Alias | Parameter type | Default value | Value to use |
| --- | --- | --- | --- | --- |
| CredentialsProvider | AWSCredentialsProviderClass (deprecated) | Required | none | Okta |
## User
The email address of the Okta user to use for authentication with Okta.
****
| Parameter name | Alias | Parameter type | Default value |
| --- | --- | --- | --- |
| User | UID (deprecated) | Required | none |
## Password
The password for the Okta user.
****
| Parameter name | Alias | Parameter type | Default value |
| --- | --- | --- | --- |
| Password | PWD (deprecated) | Required | none |
## Okta host name
The URL for your Okta organization. You can extract the `idp_host` parameter from the **Embed Link** URL in your Okta application. For steps, see [Retrieve ODBC configuration information from Okta](odbc-okta-plugin.md#odbc-okta-plugin-retrieve-odbc-configuration-information-from-okta). The first segment after `https://`, up to and including `okta.com`, is your IdP host (for example, `trial-1234567.okta.com` for a URL that starts with `https://trial-1234567.okta.com`).
****
| Parameter name | Alias | Parameter type | Default value |
| --- | --- | --- | --- |
| OktaHostName | IdP\$1Host (deprecated) | Required | none |
## Okta application ID
The two-part identifier for your application. You can extract the application ID from the **Embed Link** URL in your Okta application. For steps, see [Retrieve ODBC configuration information from Okta](odbc-okta-plugin.md#odbc-okta-plugin-retrieve-odbc-configuration-information-from-okta). The application ID is the last two segments of the URL, including the forward slash in the middle. The segments are two 20-character strings with a mix of numbers and upper and lowercase letters (for example, `Abc1de2fghi3J45kL678/abc1defghij2klmNo3p4`).
****
| Parameter name | Alias | Parameter type | Default value |
| --- | --- | --- | --- |
| OktaAppId | App\$1ID (deprecated) | Required | none |
## Okta application name
The name of your Okta application.
****
| Parameter name | Alias | Parameter type | Default value |
| --- | --- | --- | --- |
| OktaAppName | App\$1Name (deprecated) | Required | none |
## Okta MFA type
If you have set up Okta to require multi-factor authentication (MFA), you need to specify the Okta MFA type and additional parameters depending on the second factor that you want to use.
Okta MFA type is the second authentication factor type (after the password) to use to authenticate with Okta. Supported second factors include push notifications delivered through the Okta Verify app and temporary one-time passwords (TOTPs) generated by Okta Verify, Google Authenticator, or sent through SMS. Individual organization security policies determine whether or not MFA is required for user login.
****
| Parameter name | Alias | Parameter type | Default value | Possible values |
| --- | --- | --- | --- | --- |
| OktaMfaType | okta\$1mfa\$1type (deprecated) | Required, if Okta is set up to require MFA | none | oktaverifywithpush, oktaverifywithtotp, googleauthenticator, smsauthentication |
## Okta phone number
The phone number to which Okta will send a temporary one-time password using SMS when the `smsauthentication` MFA type is chosen. The phone number must be a US or Canadian phone number.
****
| Parameter name | Alias | Parameter type | Default value |
| --- | --- | --- | --- |
| OktaPhoneNumber | okta\$1phone\$1number (deprecated) | Required, if OktaMfaType is smsauthentication | none |
## Okta MFA wait time
The duration, in seconds, to wait for the user to acknowledge a push notification from Okta before the driver throws a timeout exception.
****
| Parameter name | Alias | Parameter type | Default value |
| --- | --- | --- | --- |
| OktaMfaWaitTime | okta\$1mfa\$1wait\$1time (deprecated) | Optional | 60 |
## Preferred role
The Amazon Resource Name (ARN) of the role to assume. For information about ARN roles, see [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) in the *AWS Security Token Service API Reference*.
****
| Parameter name | Alias | Parameter type | Default value |
| --- | --- | --- | --- |
| PreferredRole | preferred\$1role (deprecated) | Optional | none |
## Role session duration
The duration, in seconds, of the role session. For more information, see [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) in the *AWS Security Token Service API Reference*.
****
| Parameter name | Alias | Parameter type | Default value |
| --- | --- | --- | --- |
| RoleSessionDuration | Duration (deprecated) | Optional | 3600 |
## Lake Formation enabled
Specifies whether to use the [AssumeDecoratedRoleWithSAML](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_AssumeDecoratedRoleWithSAML.html) Lake Formation API action to retrieve temporary IAM credentials instead of the [AssumeRoleWithSAML](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html) AWS STS API action.
****
| Parameter name | Alias | Parameter type | Default value |
| --- | --- | --- | --- |
| LakeFormationEnabled | none | Optional | FALSE |