Skip to content

feat: enable OTP and Push MFA for Okta #72

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
crystall-bitquill wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: enable OTP and Push MFA for Okta #72

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 24 additions & 20 deletions docs/using-the-aws-odbc-wrapper/plugins/okta-authentication-plugin.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,29 +14,33 @@ When a user wants access to a resource, it authenticates with the IdP. From this

1. Follow steps in [Enable AWS IAM Database Authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Enabling.html) to setup IAM authentication.
2. Configure Okta as the AWS identity provider following [Okta's official documentation](https://help.okta.com/en-us/content/topics/deploymentguides/aws/aws-deployment.htm)
3. (Optional) Enable MFA. MFA through Okta Verify is supported for the Push and OTP methods. Please ensure the authentication policies and/or global session policies have been configured to use MFA.

### Connection String / DSN Configuration for Okta Authentication Plugin Support

| Field | Connection Option Key | Value | Default Value | Sample Value |
|-----------------------|------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------|--------------------------------------------------------|
| Authentication Type | `RDS_AUTH_TYPE` | Must be `OKTA`. | `database` | `OKTA` |
| Server | `SERVER` | Database instance server host. | nil | `database.us-east-1-rds.amazon.com` |
| Port | `PORT` | Port that the database is listening on. | nil | 5432 |
| User Name | `UID` | Database user name for IAM authentication. | nil | `iam_user` |
| IAM Host | `IAM_HOST` | The endpoint used to generate the authentication token. This is only required if you are connecting using custom endpoints such as an IP address. | nil | `database.us-east-1-rds.amazon.com` |
| Region | `REGION` | The region of the database for IAM authentication. | `us-east-1` | `us-east-1` |
| Database | `DATABASE` | Default database that a user will work on. | nil | `my_database` |
| Token Expiration | `TOKEN_EXPIRATION` | Token expiration in seconds, supported max value is 900. | 900 | 900 |
| IdP Endpoint | `IDP_ENDPOINT` | The ADFS host that is used to authenticate with. | nil | `my-adfs-host.com` |
| IdP Port | `IDP_PORT` | The ADFS host port. | 443 | 443 |
| IdP User Name | `IDP_USERNAME` | The user name for the IdP Endpoint server. | nil | `[email protected]` |
| IdP Password | `IDP_PASSWORD` | The IdP user's password. | nil | `my_password_123` |
| Role ARN | `IDP_ROLE_ARN` | The ARN of the IAM Role that is to be assumed for database access. | nil | `arn:aws:iam::123412341234:role/ADFS-SAML-Assume` |
| IdP SAML Provider ARN | `IDP_SAML_ARN` | The ARN of the Identity Provider. | nil | `arn:aws:iam::123412341234:saml-provider/ADFS-AWS-IAM` |
| HTTP Socket Timeout | `HTTP_SOCKET_TIMEOUT` | The socket timeout value in milliseconds for the HttpClient reading. | 3000 | 3000 |
| HTTP Connect Timeout | `HTTP_CONNECT_TIMEOUT` | The connect timeout value in milliseconds for the HttpClient. | 5000 | 5000 |
| App ID | `APP_ID` | The application ID for AWS configured on. | nil | `my-app-id` |
| Extra URL Encode | `EXTRA_URL_ENCODE` | Generated tokens can have URL encoding prefix duplication for scenarios where underlying drivers automatically decode the URL before passing to the database for connections. | `0` | `1` |
| Field | Connection Option Key | Value | Default Value | Sample Value |
|-----------------------|------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|--------------------------------------------------------|
| Authentication Type | `RDS_AUTH_TYPE` | Must be `OKTA`. | `database` | `OKTA` |
| Server | `SERVER` | Database instance server host. | nil | `database.us-east-1-rds.amazon.com` |
| Port | `PORT` | Port that the database is listening on. | nil | `5432` |
| User Name | `UID` | Database user name for IAM authentication. | nil | `iam_user` |
| IAM Host | `IAM_HOST` | The endpoint used to generate the authentication token. This is only required if you are connecting using custom endpoints such as an IP address. | nil | `database.us-east-1-rds.amazon.com` |
| Region | `REGION` | The region of the database for IAM authentication. | `us-east-1` | `us-east-1` |
| Database | `DATABASE` | Default database that a user will work on. | nil | `my_database` |
| Token Expiration | `TOKEN_EXPIRATION` | Token expiration in seconds, supported max value is 900. | `900` | `900` |
| IdP Endpoint | `IDP_ENDPOINT` | The ADFS host that is used to authenticate with. | nil | `my-adfs-host.com` |
| IdP Port | `IDP_PORT` | The ADFS host port. | `443` | `443` |
| IdP User Name | `IDP_USERNAME` | The user name for the IdP Endpoint server. | nil | `[email protected]` |
| IdP Password | `IDP_PASSWORD` | The IdP user's password. | nil | `my_password_123` |
| Role ARN | `IDP_ROLE_ARN` | The ARN of the IAM Role that is to be assumed for database access. | nil | `arn:aws:iam::123412341234:role/ADFS-SAML-Assume` |
| IdP SAML Provider ARN | `IDP_SAML_ARN` | The ARN of the Identity Provider. | nil | `arn:aws:iam::123412341234:saml-provider/ADFS-AWS-IAM` |
| HTTP Socket Timeout | `HTTP_SOCKET_TIMEOUT` | The socket timeout value in milliseconds for the HttpClient reading. | `3000` | `3000` |
| HTTP Connect Timeout | `HTTP_CONNECT_TIMEOUT` | The connect timeout value in milliseconds for the HttpClient. | `5000` | `5000` |
| App ID | `APP_ID` | The application ID for AWS configured on. | nil | `my-app-id` |
| Extra URL Encode | `EXTRA_URL_ENCODE` | Generated tokens can have URL encoding prefix duplication for scenarios where underlying drivers automatically decode the URL before passing to the database for connections. | `0` | `1` |
| MFA Type | `MFA_TYPE` | The MFA type the user specifies. The available options are: `TOTP`, `PUSH`. **Note**: the `TOTP` type requires a web browser to be used. | nil | `TOTP` |
| MFA Port | `MFA_PORT` | The port used to connect to `127.0.0.1` to provide the one time code when using TOTP as the MFA Type. | `8080` | `8000` |
| MFA Timeout | `MFA_TIMEOUT` | The time in seconds to complete the MFA challenge before the connection fails. | `60` | `30` |

> [!WARNING]\
> Using IAM Authentication, connections to the database must have SSL enabled. Please refer to the underlying driver's specifications to enable this.
Expand Down
18 changes: 18 additions & 0 deletions driver/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,17 @@ set(INC
${CMAKE_CURRENT_SOURCE_DIR}/host_info.h
${CMAKE_CURRENT_SOURCE_DIR}/odbcapi.h
${CMAKE_CURRENT_SOURCE_DIR}/odbcapi_rds_helper.h

# Webserver
${CMAKE_CURRENT_SOURCE_DIR}/plugin/federated/http/AddrInformation.h
${CMAKE_CURRENT_SOURCE_DIR}/plugin/federated/http/HtmlResponse.h
${CMAKE_CURRENT_SOURCE_DIR}/plugin/federated/http/Parser.h
${CMAKE_CURRENT_SOURCE_DIR}/plugin/federated/http/Selector.h
${CMAKE_CURRENT_SOURCE_DIR}/plugin/federated/http/Socket.h
${CMAKE_CURRENT_SOURCE_DIR}/plugin/federated/http/SocketStream.h
${CMAKE_CURRENT_SOURCE_DIR}/plugin/federated/http/SocketSupport.h
${CMAKE_CURRENT_SOURCE_DIR}/plugin/federated/http/WEBServer.h
${CMAKE_CURRENT_SOURCE_DIR}/plugin/federated/http/WEBServer_utils.h
)

set(SRC
Expand Down Expand Up @@ -116,6 +127,13 @@ set(SRC
${CMAKE_CURRENT_SOURCE_DIR}/host_info.cpp
${CMAKE_CURRENT_SOURCE_DIR}/odbcapi_common.cpp
${CMAKE_CURRENT_SOURCE_DIR}/odbcapi_rds_helper.cpp

# Webserver
${CMAKE_CURRENT_SOURCE_DIR}/plugin/federated/http/AddrInformation.cpp
${CMAKE_CURRENT_SOURCE_DIR}/plugin/federated/http/Parser.cpp
${CMAKE_CURRENT_SOURCE_DIR}/plugin/federated/http/Selector.cpp
${CMAKE_CURRENT_SOURCE_DIR}/plugin/federated/http/Socket.cpp
${CMAKE_CURRENT_SOURCE_DIR}/plugin/federated/http/WEBServer.cpp
)

# GUI
Expand Down
Loading
Loading