SAML Errors when connecting to AWS Redshift Skip to main content
https://support.okta.com/help/answers?id=9060z00000078l6qai&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Steven DrurySteven Drury 

SAML Errors when connecting to AWS Redshift

Hi Team, 

I'm running through this (https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Amazon-Web-Services-Redshift.html) configuration for connecting to AWS Redshift using Okta. This is using a brand new Redshift cluster. I can connect to this cluster using the master username/password via SQL Workbench/J. 

When I attempt to configure using my Okta credentials (and the modified connection URL), the response I receive is as below.
User-added image

It must be communicating with Okta, as when I attempt to log in using a user that is not assigned to that app, I receive a different message: 

User-added image

I can't find anything regarding this error on the internet. I'm wondering if anyone has successfully configured this, and ran into a similar problem? 
Best Answer chosen by Steven Drury
Steven DrurySteven Drury
For anyone that comes across this in the future: 
  • If you have MFA enabled for your users they will not be able to authenticate with Redshift. The token cannot be returned. The workarounds such as combining the password and MFA token do not workaround this issue in the following formats:
    • {password}{mfatoken}
    • {password},{mfatoken}
  • The workarounds for this are:
    • Disable MFA for your users (bad idea)
    • Create a policy where MFA is not required from a certain network, and create a network where the Gateway IP is that of a VPN server. This requires the VPN server to modify the gateway (no split tunnelling). 
Also, I could not get the JDBC 4.2 driver to work at all, regardless of MFA. It just didn't work. Reverting back to JDBC 4.1 with SDK and ensuring that the Classname was modified to be com.amazon.redshift.jdbc41.Driver was the only way I could get this to work. 

All Answers

Razvan SerbanRazvan Serban (Vendor Management)
Hi,

This looks like needs further troubleshooting as a particular integration. Please open a support ticket regarding this issue and we will be more than happy to assist you.

Thank you,
Steven DrurySteven Drury
For anyone that comes across this in the future: 
  • If you have MFA enabled for your users they will not be able to authenticate with Redshift. The token cannot be returned. The workarounds such as combining the password and MFA token do not workaround this issue in the following formats:
    • {password}{mfatoken}
    • {password},{mfatoken}
  • The workarounds for this are:
    • Disable MFA for your users (bad idea)
    • Create a policy where MFA is not required from a certain network, and create a network where the Gateway IP is that of a VPN server. This requires the VPN server to modify the gateway (no split tunnelling). 
Also, I could not get the JDBC 4.2 driver to work at all, regardless of MFA. It just didn't work. Reverting back to JDBC 4.1 with SDK and ensuring that the Classname was modified to be com.amazon.redshift.jdbc41.Driver was the only way I could get this to work. 
This was selected as the best answer