Identity Providers

Overview

QueryPie supports two authentication approaches: using a QueryPie user account (ID/Password) or integrating with an external Identity Provider (IdP). Administrators can configure the IdP integration so that QueryPie handles user authentication via Single Sign-On (SSO) and synchronizes accounts easily.

Currently supported IdP integrations are as follows:

LDAP
Okta
SAML 2.0
OneLogin
Swivel Secure
Custom Identity Provider (for special use cases)

Multiple Identity Providers are not supported simultaneously. You must choose exactly one IdP other than the internal database (QueryPie user ID/Password).
MFA (Multi-factor Authentication) is available only with Internal DB, LDAP, and Custom Identity Provider.
Scheduled synchronization is available only for LDAP, Okta, One Login, and Custom Identity Provider.

Admin > General > System > Integration > Authentication > Identity Providers provides all related settings. By default, QueryPie performs authentication with IDs and passwords stored in the internal database, so an Internal database item always exists and cannot be deleted.

Internal authentication details

Name : A recognizable name shown in the list.
Type : One of the IdP types supported by QueryPie.
Multi-Factor Authentication Setting : Configure MFA. Google Authenticator and Email are supported.

Note: Once you have synchronized users even once, you cannot delete the configured IdP and switch to another. If you need to change or remove the IdP, please contact us via the Customer Portal.

LDAP Integration

Click the + Add button at the top right of the list and select LDAP for Type to add LDAP as an IdP.

Name : Enter a suitable name for identification.
Type : Select LDAP.
Server URL : Enter the LDAP server address in the form of ldap://ldap.example.com:389. For LDAPS, use the ldaps:// scheme.
BindDN : Enter the Distinguished Name (DN) of the service account used to bind to the LDAP server. This account needs at least read permission for user information.
Example: cn=admin,ou=Services,dc=example,dc=com
Bind Password : Enter the password for the BindDN.

Enter the mapping configuration to synchronize QueryPie user accounts with LDAP user accounts.

Attribute	Required	Description
User Base DN	Required	The starting point in the LDAP tree to search for user accounts. Only users under this path are considered login targets. Example: ou=People,dc=example,dc=com or cn=Users,dc=example,dc=com
User Search Filter	Required	The query (filter) used to find the user in LDAP based on the login ID. Example: (objectClass=inetOrgPerson)
User Name	Required	The LDAP attribute used as the user login ID. This maps to the QueryPie user’s Login ID when synchronizing. Example: uid
Email	Required	The LDAP attribute used as the user’s email. This maps to the QueryPie user’s Email when synchronizing. Example: email
Display Name	Optional	Enter the LDAP attribute to map to the QueryPie user’s display name. Example: cn or displayName.

To synchronize user group and membership information from LDAP, enable the Use Group option and provide the required values.

Attribute	Required	Description
Group Base DN	Required	Enter the group Base DN value of the LDAP server. Only groups under this path are synchronized as Groups. Example: `dc=example,dc=com`
Group Search Filter	Required	Enter the filter to fetch groups from the LDAP server. Example: `objectclass=posixGroup`
Group ID	Required	Enter the attribute used as the group’s identifier. Example: `gidNumber`
Membership Type	Required	If user entries contain group information, select `Include group information in user entries` and enter the attribute to reference below. Example: `member`, `uniqueMember`, `memberUid`, etc.
Membership Type	Required	If group entries contain user information, select `Include user information in group entries` and enter the attribute to reference below. Example: `gidNumber`

To run user synchronization from LDAP, enable Use Synchronization with the Authentication System.

Replication Frequency : Configure whether to enable automatic synchronization.
- Manual: Synchronize only when you click the Synchronize button on this page.
- Scheduling: Perform periodic synchronization. The “Use cron expression” field is enabled.
Additional Settings
- Make New Users Inactive by Default : Add newly synchronized users as inactive by default.
  - Useful when there are many users or you want to manage access control individually via LDAP authentication.
- Use an Attribute for Privilege Revoke : Revoke privileges based on a specific attribute during synchronization.
  - Enable when you want to automatically revoke DAC privileges based on changes to an LDAP attribute.
  - Enter the attribute name to monitor for activation changes in the LDAP Attribute input field.
- Enable Attribute Synchronization : Synchronize LDAP user attributes with QueryPie user attributes by mapping.
  - Enable when you want to link LDAP-managed attributes to QueryPie attributes automatically.
  - When enabled, an LDAP Attribute Mapping UI appears, allowing you to specify the LDAP and QueryPie attributes to map.
  - This applies only to attributes whose Source Priority is set to “Inherit from profile source” in Profile Editor (Admin > General > User Management > Profile Editor).
- Allowed User Deletion Rate Threshold :
  - If the percentage of deleted existing users during synchronization is greater than or equal to this value, the synchronization fails.
  - Enter a value between 0 and 1 (default is 0.1).
    Example: If there are 100 existing users and the threshold is 0.1, synchronization fails when 10 or more users would be deleted.
    When upgrading to 11.3.0 from a version configured before 11.3.0, this value migrates to 1.

LDAP Attribute Mapping

To link LDAP-managed user attributes with QueryPie attributes, enable “Enable Attribute Synchronization” and provide the following information:

Click Add Row to add a new mapping row. For each row, select an LDAP attribute and a corresponding QueryPie attribute.

This feature applies only to QueryPie attributes whose Source Priority is set to “Inherit from profile source” in Admin > General > User Management > Profile Editor.
The QueryPie attributes Username (loginId) and Primary Email (email) are configured separately in LDAP integration settings and are not exposed in the LDAP–QueryPie Attribute Mapping UI.
When you delete or change a mapping row, click Save to apply changes in the UI, and additionally click Synchronize to actually perform synchronization with LDAP. Save applies the screen changes, while Synchronize applies them to the system.

Okta Integration

Add QueryPie as an application in Okta

Okta Admin > Applications > Applications > Browse App Catalog > Search for QueryPie

Sign in to Okta with an administrator account.
Click your profile at the top right to access Your Org.
Go to Applications > Applications in the left panel of the Okta admin page.
Click Browse App Catalog and search for QueryPie.
Open the QueryPie application page and click Add Integration.
Confirm that Application Label is QueryPie and click Done.

Profile settings for Okta account integration

Okta Admin > Directory > Profile Editor > QueryPie User > Add Attribute

Go to Directory > Profile Editor in the Okta admin page.
Click ‘QueryPie User’ in the profile list.
In Attributes, click Add Attribute.
Add the following four items in order and save:
- Display name: firstName / Variable name: firstName, then Save and Add Another
- Display name: lastName / Variable name: lastName, then Save and Add Another
- Display name: email / Variable name: email, then Save and Add Another
- Display name: loginId / Variable name: loginId, then Save

Okta Admin > Directory > Profile Editor > QueryPie User > Mappings

After the four attributes are added, click Mappings.
Link Okta User Profile attributes to QueryPie User Profile attributes as follows:
- user.firstName ↔︎ firstName
- user.lastName ↔︎ lastName
- user.email ↔︎ email
- user.email ↔︎ loginId (Use Okta’s email attribute as QueryPie’s Login ID.)
Click Save Mappings.

Assign users to the QueryPie application in Okta

Okta Admin > Applications > Applications > QueryPie App

Go to Applications > Applications in the Okta admin page.
Click the QueryPie application in the list.
Go to the Assignments tab, click Assign, and select Assign to People or Assign to Group.
Assign the user(s) or group(s) to allow access to QueryPie and click Done.
- For People, review the user information and click Save and Go Back.
- For Group, leave loginId empty and click Save and Go Back.
Verify that the user or group is assigned to the QueryPie application.

Configure QueryPie application integration settings in Okta

In the QueryPie application page in Okta, go to the Sign On tab.
Click Edit in Settings and enter the domain where QueryPie is installed in the Base URL field.
Access the URL shown in Metadata URL in a separate tab and copy the XML.

Issue a minimum-privilege Okta API token

To synchronize users, groups, and group memberships between QueryPie and Okta, an Okta Admin API token is required. Typically, you can issue a token using the Super Administrator or Read-Only Administrator account and apply it as follows:

In the Okta admin page, go to Security > API.
Go to the Tokens tab.
Click Create Token to create an API token.

For improved security, we recommend issuing a token with minimum permissions as follows.

Okta Admin Console > Security > Administrators > Roles > Create new role

In the Okta admin page, go to Directory > People and click Add Person to create a dedicated integration account.
- If you already have such an account, skip this step.
Go to Security > Administrators > Roles.
Select Create new role.
Define Role name (e.g., MinimumAdminRole) and Role description, and check only the following permissions in Select Permissions:
- User
  - View users and their details
- Group
  - View groups and their details
- Application
  - View application and their details
Click Save role.
Go to the Resources tab.
Select Create new resource set.
- If you already have a resource set for scoping, skip to step 10.
Define Name (e.g., MinimumResources) and Description, then set the scope as follows:
- User: All QueryPie users
- Group: All QueryPie groups
- Application: Limited to the QueryPie app
Go to the Admins tab and assign the following to the integration account:
- Role: MinimumAdminRole | Resource: MinimumResources
- Role: Read-Only Administrator
  - Temporarily needed to access the API token issuance menu
Sign in to the Okta admin console with the integration account.
Go to Security > API > Tokens and click Create Token to issue a token and store it securely.
Then, sign back in as the original admin and remove Read-Only Administrator from the integration account in Security > Administrators > Admins.

Configure Okta integration and synchronization in QueryPie

Click the + Add button at the top right of the list and select Okta for Type to add Okta as an IdP.

Name : Enter a suitable name for identification.
Type : Select Okta.
Identity Provider Metadata :
Paste the XML copied in the process described in the Okta guide .
Use SAML Assertion Consumer Service Index: When the Service Provider uses multiple endpoints, you can specify each endpoint using the ACS Index.
- Entity ID: Enter in the format https://your-domain.com/saml/sp/metadata. This is the Audience URI (SP Entity ID) value in Okta’s SAML 2.0 settings.
- ACS Index: Enter a value between 0 and 2,147,483,647 (default 0).

Assertion Consumer Service (ACS): The endpoint URL in the Service Provider (SP) that receives SAML assertions from the IdP, verifies them, and processes user login.

Why the Assertion Consumer Service Index matters

An SP can have multiple ACS URLs for various reasons. The AssertionConsumerServiceIndex plays a crucial role here.

When the SP sends the AuthnRequest with this index to the IdP, the IdP sends the assertion to the ACS URL mapped to that index. If the index is not specified, the IdP typically sends the assertion to a predefined default ACS URL.

This index-based routing is useful in the following scenarios:

Key use cases

Support multiple protocol bindings:

SAML assertions can be delivered via various bindings such as HTTP POST and HTTP-Artifact. The SP may maintain separate ACS URLs for each binding. For example, index “0” can point to the ACS URL for HTTP POST, and index “1” can point to HTTP-Artifact.

Multi-tenant architecture:

A SaaS application supporting multiple customers (tenants) can assign a unique ACS URL per tenant. This isolates and customizes the authentication flow for each tenant.

Different authentication flows within the same application:

Depending on roles or entry paths, post-login destinations can differ. You may configure different ACS URLs and select them by index.

Dynamic or special ACS URL handling:

If assertions must be delivered to dynamically generated ACS URLs under specific situations, the index can guide the IdP to one of the statically defined URLs.

Audience URI (SP Entity ID) in Okta app settings

To enable synchronization, turn on “Use Synchronization with the Authentication System”.
- API URL: Click your profile at the top right of the Okta admin page to see {domain}.okta.com.
- API Token: Enter the Okta Admin API token.
- Application ID: Enter only if you use two or more QueryPie apps in Okta.
For periodic synchronization, set Replication Frequency to Scheduling.
Additional Settings
- Make New Users Inactive by Default: Add newly synchronized users as inactive by default.
  Enable this when you have many users or want to manage QueryPie access individually via authentication.
- Use an Attribute for Privilege Revoke: Revoke privileges based on a specific attribute during synchronization.
  Enable this if you want to revoke DAC privileges automatically based on changes to a specific attribute.
  Enter the attribute name to monitor.
- Enable Attribute Synchronization: Synchronize IdP user attributes with QueryPie user attributes by mapping.
  Enable this to automatically link attributes managed by the IdP to QueryPie attributes.
  When enabled, an Attribute Mapping UI appears below to configure mappings.
  This applies only to attributes whose Source Priority is set to “Inherit from profile source” in Profile Editor (Admin > General > User Management > Profile Editor).
- Allowed User Deletion Rate Threshold :
  - If the percentage of deleted existing users during synchronization is greater than or equal to this value, the synchronization fails.
  - Enter a value between 0 and 1 (default is 0.1).
    Example: If there are 100 existing users and the threshold is 0.1, synchronization fails when 10 or more users would be deleted.
    When upgrading from a pre-11.3.0 version configured with synchronization to 11.3.0 or later, this value migrates to 1.
Click Dry Run to verify the input.
Click Save to store the settings.

How to find the Application ID If you use two or more QueryPie applications, go to Okta Admin > Applications, open the details page of the QueryPie app, and check the top URL where the Application ID is highlighted in the screenshot.

Top URL of Okta Admin > Applications > QueryPie App

You can verify synchronized users and groups in General Settings > Users or Groups.
You can now sign in to QueryPie using Login with Okta on the login page.

This integration supports one-way synchronization from Okta to QueryPie for users and groups. For SCIM provisioning, follow the steps in the [Okta] Provisioning Integration Guide .

Click the + Add button at the top right of the list and select One Login for Type to add One Login as an IdP.

Name : Enter a suitable name for identification.
Type : Select One Login.

One Login SAML Custom Connector configuration and downloading Metadata XML

Sign in to OneLogin and click Applications > Applications at the top.
Click Add App.
Search for ‘SAML Custom Connector (Advanced)’ and click the result.
For Display Name, paste the value of “Application Name to be used in OneLogin” shown in QueryPie, and also copy Audience (Entity ID), Recipient, ACS (Consumer) URL Validator, and ACS (Consumer) URL into OneLogin settings.
Click Save.
Select Configuration on the left, then click More Actions > SAML Metadata on the top right.
Check the downloaded XML file.

For details on configuring the OneLogin SAML Custom Connector, refer to https://onelogin.service-now.com/support?id=kb_article&sys_id=8a1f3d501b392510c12a41d5ec4bcbcc&kb_category=de885d2187372d10695f0f66cebb351f .

Identity Provider Metadata : Paste the contents of the XML file downloaded from One Login.

To enable synchronization, turn on “Use Synchronization with the Authentication System”.
For periodic synchronization, set Replication Frequency to Scheduling.

Additional Settings
- Make New Users Inactive by Default : Add newly synchronized users as inactive by default.
  Enable this when you have many users or want to manage QueryPie access individually via authentication.
- Use an Attribute for Privilege Revoke : Revoke privileges based on a specific attribute during synchronization.
  Enable this to automatically revoke DAC privileges based on a specific attribute.
  Enter the attribute name to monitor.
- Enable Attribute Synchronization : Synchronize IdP user attributes with QueryPie user attributes by mapping.
  Enable this to automatically link attributes managed by the IdP to QueryPie attributes.
  When enabled, an Attribute Mapping UI appears for configuring mappings.
  This applies only to attributes whose Source Priority is set to “Inherit from profile source” in Profile Editor (Admin > General > User Management > Profile Editor).
- Allowed User Deletion Rate Threshold :
  - If the percentage of deleted existing users during synchronization is greater than or equal to this value, the synchronization fails.
  - Enter a value between 0 and 1 (default is 0.1).
    Example: If there are 100 existing users and the threshold is 0.1, synchronization fails when 10 or more users would be deleted.
    When upgrading from a pre-11.3.0 version configured with synchronization to 11.3.0 or later, this value migrates to 1.

SAML 2.0 Integration (one-off without periodic sync)

If you want a one-time SAML integration without periodic synchronization, provide only the SAML metadata.

Name : Enter a suitable name for identification.
Type : Select SAML.
Identity Provider Metadata : Paste the SAML metadata XML content downloaded from your IdP.

< Note > AWS SSO Integration

Custom Identity Provider

Use this only for special cases that require an authentication API server.

Name : Enter a suitable name for identification.
Type : Select Custom Identity Provider.
API URL : Enter the endpoint URL of your API server.
To run user synchronization, enable Use Synchronization with the Authentication System.

Additional Settings
- Make New Users Inactive by Default : Add newly synchronized users as inactive by default.
  Enable this when you have many users or want to manage QueryPie access individually via authentication.
- Use an Attribute for Privilege Revoke : Revoke privileges based on a specific attribute during synchronization.
  Enable this if you want to automatically revoke DAC privileges based on changes to a specific attribute.
  Enter the attribute name to monitor.
- Enable Attribute Synchronization : Map and synchronize IdP user attributes with QueryPie user attributes.
  Enable this to automatically link attributes managed by the IdP to QueryPie attributes.
  When enabled, an Attribute Mapping UI appears for configuring mappings.
  This applies only to attributes whose Source Priority is set to “Inherit from profile source” in Profile Editor (Admin > General > User Management > Profile Editor).
- Allowed User Deletion Rate Threshold :
  - If the percentage of deleted existing users during synchronization is greater than or equal to this value, the synchronization fails.
  - Enter a value between 0 and 1 (default is 0.1).
    Example: If there are 100 existing users and the threshold is 0.1, synchronization fails when 10 or more users would be deleted.
    When upgrading to 11.3.0 from a version configured before 11.3.0, this value migrates to 1.