<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7VYASA3Okta Classic EngineSingle Sign-OnAnswered2024-04-30T09:18:25.000Z2018-07-04T06:13:18.000Z2021-02-01T09:55:16.000Z

hzbpz (hzbpz) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:20 AM
SAML Errors when connecting to AWS Redshift
Hi Team, 

 

I'm running through this (https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Amazon-Web-Services-Redshift.html) configuration for connecting to AWS Redshift using Okta. This is using a brand new Redshift cluster. I can connect to this cluster using the master username/password via SQL Workbench/J. 

 

When I attempt to configure using my Okta credentials (and the modified connection URL), the response I receive is as below.

0EM0Z0000002Cwd

 

It must be communicating with Okta, as when I attempt to log in using a user that is not assigned to that app, I receive a different message: 

 

0EM0Z0000002Cwi

 

I can't find anything regarding this error on the internet. I'm wondering if anyone has successfully configured this, and ran into a similar problem?
  • 9 answers
  • 8.65K views

  • hzbpz (hzbpz)

    For anyone that comes across this in the future:  
    • If you have MFA enabled for your users they will not be able to authenticate with Redshift. The token cannot be returned. The workarounds such as combining the password and MFA token do not workaround this issue in the following formats: 
    • {password}{mfatoken}
    • {password},{mfatoken}
     
    • The workarounds for this are: 
    • Disable MFA for your users (bad idea)
    • Create a policy where MFA is not required from a certain network, and create a network where the Gateway IP is that of a VPN server. This requires the VPN server to modify the gateway (no split tunnelling). 
      Also, I could not get the JDBC 4.2 driver to work at all, regardless of MFA. It just didn't work. Reverting back to JDBC 4.1 with SDK and ensuring that the Classname was modified to be com.amazon.redshift.jdbc41.Driver was the only way I could get this to work.
    Expand Post
    Selected as Best

  • j5v7c (j5v7c)

    Hi,

     

    This looks like needs further troubleshooting as a particular integration. Please open a support ticket regarding this issue and we will be more than happy to assist you.

     

    Thank you,
    Expand Post

  • hzbpz (hzbpz)

    For anyone that comes across this in the future:  
    • If you have MFA enabled for your users they will not be able to authenticate with Redshift. The token cannot be returned. The workarounds such as combining the password and MFA token do not workaround this issue in the following formats: 
    • {password}{mfatoken}
    • {password},{mfatoken}
     
    • The workarounds for this are: 
    • Disable MFA for your users (bad idea)
    • Create a policy where MFA is not required from a certain network, and create a network where the Gateway IP is that of a VPN server. This requires the VPN server to modify the gateway (no split tunnelling). 
      Also, I could not get the JDBC 4.2 driver to work at all, regardless of MFA. It just didn't work. Reverting back to JDBC 4.1 with SDK and ensuring that the Classname was modified to be com.amazon.redshift.jdbc41.Driver was the only way I could get this to work.
    Expand Post
    Selected as Best

  • RichardC.41425 (Customer)

    Hi - if you have implemented this successfully, can you please get in touch with me?

    I am wondering how, if you did, get around the issue of passing the dbuser through to RedShift ?

     

     

     

    Expand Post

  • f3i29 (f3i29)

    @Okta,

    Do you have any solution with you MFA? Disable MFA is not a right approach in terms of security point.

     

    -Sankara

  • eeopj (eeopj)

    @Okta,

    This is something that we are trying to do as well. Any idea on when this will be supported?

  • sretb (sretb)

    @User15802732063966901191 (CS – ServiceSource)​  Hello Mary,

     

    Is this still not supported? We would love to use this but our users need mfa for other applications.

     

    Thank you.

  • 2vvfu (2vvfu)

    @User15802732063966901191 (CS – ServiceSource)​ or any other Okta representative...

     

    This is still an issue. Can we get some indication as to if it will be resolved?

     

    Thanks...

    Expand Post

  • 2vvfu (2vvfu)

    Well, so much for the help desk...

     

    However, success! I have succeeded in connecting with MFA.

     

    The critical change was to avoid the Okta Redshift "app" at all costs. It is misconfigured internally and won't work.

     

    Instead, follow the AWS guidelines and set up a new "custom" SAML 2.0 app.

     

    Then connect with a JDBC url of the form: "jdbc:redshift:iam://reporting-redshiftcluster-123456789.123456789.eu-west-1.redshift.amazonaws.com.:5439/some_db?login_url=https://foo.okta.com/app/xxxxxxxxx/xxxxxxxxx/sso/saml&plugin_name=com.amazon.redshift.plugin.BrowserSamlCredentialsProvider"

     

    Good luck.

    Expand Post
This question is closed.
Loading
SAML Errors when connecting to AWS Redshift