Overview

QueryPie supports integration with Okta. You can synchronize users and groups from Okta to grant access and apply policies, enabling a simplified user experience while operating with strict security controls. Integrating QueryPie with Okta enhances security, operational efficiency, and user experience across your database and system management ecosystem.

Add QueryPie as an application in Okta

1. Sign in to the Okta service  with an admin account.
2. Click your profile in the upper-right and go to Your Org.
3. In the left panel, navigate to Applications > Applications.
4. Click Browse App Catalog and search for QueryPie.
5. On the QueryPie application page, click Add Integration.
6. Confirm that Application Label is QueryPie, then click Done to add the application.

Profile settings for Okta account integration

1. In the left panel of the Okta Admin Console, go to Directory > Profile Editor.
2. From the Profile list, click QueryPie User.
3. In Attributes, click Add Attribute.
4. In the Add Attribute screen, enter the following four items in order and save:
   1. Display name: firstName / Variable name: firstName, then click Save and Add Another
   2. Display name: lastName / Variable name: lastName, then click Save and Add Another
   3. Display name: email / Variable name: email, then click Save and Add Another
   4. Display name: loginId / Variable name: loginId, then click Save

1. After confirming the four attributes have been added, click Mappings.
2. Map Okta User Profile attributes to QueryPie User Profile attributes as follows:
   1. user.firstName ↔︎ firstName
   2. user.lastName ↔︎ lastName
   3. user.email ↔︎ email
   4. user.email ↔︎ loginId (Use Okta’s email as QueryPie’s login ID.)
3. Click Save Mappings.

Assign users to the QueryPie application added in Okta

1. In the left panel, navigate to Applications > Applications.
2. From the list, click the QueryPie application.
3. Go to the Assignments tab, click Assign, and choose Assign to People or Assign to Group.
4. Assign users or groups who should have access to QueryPie, then click Done.
   1. When assigning People: review user info and click Save and Go Back.
   2. When assigning Groups: leave loginId blank and click Save and Go Back.
5. You can now confirm that the users or groups are assigned to the QueryPie application.

Configure integration information for the QueryPie application in Okta

1. On the QueryPie application page in Okta, go to the Sign On tab.
2. Click Edit in the Settings area, enter the domain where QueryPie is installed into Base URL, and save.
3. Open the URL shown in Metadata URL in a separate tab and copy the XML displayed there.

Issue a minimal-privilege Okta API token

To synchronize users, groups, and group memberships between QueryPie and Okta, you need an Okta Admin API token. Typically, you can generate an API token using a Super Administrator or Read-Only Administrator account as follows:

1. In the left panel, go to Security > API.
2. In API, go to the Tokens tab.
3. Click Create Token to generate an access token.

However, to enhance security by minimizing permissions for the Okta API token, we recommend creating a token with the following roles and steps:

1. In the left panel, go to Directory > People and click Add Person to create a dedicated system-integration account.
   • If you already have an account for QueryPie integration, skip this step.
2. Go to Security > Administrators and open the Roles tab.
3. Select Create new role.
4. Define Role name (e.g., MinimumAdminRole) and Role description, and in Select Permissions, check only the following:
   1. User
      • View users and their details
   2. Group
      • View groups and their details
   3. Application
      • View application and their details
5. Click Save role to store the custom role.
6. Go to the Resources tab.
7. Select Create new resource set.
   • If you already have a resource set for scoping, skip to step 10.
8. Define Name (e.g., MinimumResources) and Description, and specify the following scopes:
   1. User: All QueryPie users
   2. Group: All QueryPie user groups
   3. Application: Limit to the QueryPie app
9. Click Create to finish.
10. Go to the Admins tab and assign the following permissions to the integration account:
    1. Role: MinimumAdminRole | Resource: MinimumResources
    2. Role: Read-Only Administrator
       • Temporary assignment to access the API token creation menu
11. Sign in to the Okta Admin Console with the integration account.
12. Go to Security > API and open the Tokens tab.
13. Click Create Token to generate a token and store it securely.
14. Then sign back in with your original admin account and remove the Read-Only Administrator role from the integration account under Security > Administrators > Admins.

Configure Okta integration and synchronization in QueryPie

1. In QueryPie, go to Administrator > General > User Management > Authentication.
2. Select Okta as the Authentication Type.
3. Paste the copied XML into Identity Provider Metadata.
4. To enable automatic synchronization, check “Use Synchronization with the Authentication System”.
   1. API URL: Click your profile in the top-right of the Okta Admin Console to find the URL in the format {domain}.okta.com.
   2. API Token: Enter the Okta Admin API token.
   3. Application ID: Enter if you use two or more QueryPie apps in Okta.
5. To use automatic synchronization, set Scheduling in Replication Frequency.
6. Click Dry Run to validate the configuration.
7. Click Save Changes.
8. Click Synchronize to synchronize users from Okta.

Log in to QueryPie using Okta

1. In General Settings > Users or Groups, you can confirm the synchronized users and groups.
2. You can now log in to QueryPie with your Okta account by clicking Login with Okta on the sign-in page.