Using the Browser SAML Credentials Provider

You can configure the connector to authenticate the connection using the Browser SAML credentials provider, which obtains credentials from the Browser SAML identity provider. To do this, connect to Athena using a connection URL that includes property settings that specify information about the Browser SAML service.

When the connector connects to Athena, it retrieves temporary credentials from the Browser SAML identity provider. If these credentials are associated with an IAM role that has permission to access Athena, the connector immediately uses these credentials to authenticate the connection to Athena. Otherwise, you must exchange the temporary credentials for more specialized AWS credentials, which can then be used to authenticate the connection. For post-SAML workflows such as exchanging temporary credentials for specialized ones, the connector provides a post-SAML workflow hook. For more information, see Using the Post-SAML Workflow Hook.

Specifying Browser SAML Information in the Connection URL

In your connection URL, set properties to specify information such as the host and port of the server where the Browser SAML service is hosted.

Note: Some properties can be set through aliases, as described below. If you specify both a property name and its alias, the setting associated with the property name takes precedence.

To specify Browser SAML information in the connection URL:

  • In your connection URL, set the following properties:
    PropertyValue

    AWSCredentialsProviderClass

    As alternatives, you can configure this property using the aliases aws_credentials_provider_class or plugin_name. If you specify both aliases, the setting associated with aws_credentials_provider_class takes precedence.

    The FQCN that implements the Browser SAML credentials provider.

    User

    As an alternative, you can configure this property using the alias UID.

    The email address that you use to access the server.

    Password

    As an alternative, you can configure this property using the alias PWD.

    The password corresponding to your email address that you specified in the User or UID property.

    login_urlThe URL for the resource on the identity provider's website when using the SAML services through a browser plugin.
    idp_response_timeout

    The amount of time, in seconds, that the connector waits for the SAML response from the identity provider when using the service through a browser plugin.

    listen_port

    The port that the connector uses to get the SAML response from the identity provider when using the service through a browser plugin.

    For example:

    jdbc:awsathena://AwsRegion=us-east-1;S3OutputLocation=s3://test;AwsCredentialsProviderClass=com.simba.athena.iamsupport.plugin.BrowserSamlCredentialsProvider;UID=jsmith@acme.com;PWD=simba12345;login_url=http://localhost:abc/athena;Duration=900;

    Note: Optionally, in the Duration field, type the duration of the role session in seconds.

    When you connect to Athena, the connector retrieves temporary credentials from Browser SAML. If these credentials are not associated with an IAM role that has permission to access Athena, then you must exchange them for more specialized AWS credentials before the connector can authenticate the connection. For information about how to complete this process, see Using the Post-SAML Workflow Hook.