[Okta] Provisioning Integration Guide

Prerequisites

• You need to subscribe to the Lifecycle Management (LCM) license for the Okta IAM service.
• You need permissions to access the Okta Admin Console to create apps and assign users/groups to apps.
  • Minimum required permissions
    • User
      • Edit users’ application assignments
    • Group
      • Edit groups’ application assignments
    • Application
      • Manage applications
• Refer to the https://help.okta.com/en-us/content/topics/security/ip-address-allow-listing.htm  page for the Okta IP range allowlist  to identify the IP ranges for your tenant and allow inbound traffic exceptions in advance.
• QueryPie must be installed with a license.
• You need an account with Owner/Application Admin Role permissions in QueryPie.
• You must complete the Activating Provisioning step first.

Integration Steps

Once all the prerequisites above are completed, perform the SCIM integration in the following order.

Create an Okta custom SCIM app

1. Access the Okta service  and sign in with an admin account.
2. Click the Admin button in the top right to access the Admin Console.
3. In the left panel of the Okta admin page, go to Applications > Applications.
4. Click the Create App Integration button.
5. For custom SCIM integration, select SAML 2.0 as the Sign-in method and click the Next button.
6. In the General Settings step, define the values in General Settings appropriately and click the Next button at the bottom.
   1. App name: Enter an identifiable application name.
   2. App logo: Upload a logo that users can identify.
7. In the Configure SAML step, define the values in SAML Settings appropriately and click the Next button at the bottom.
   1. Single sign-on URL: https://{{querypie.domain}}/saml/sp/acs
   2. Audience URI (SP Entity ID): https://{{querypie.domain}}/saml/sp/metadata
   3. Attribute Statements (optional): Enter the required QueryPie URL attributes as follows:
      1. Name: firstName
         Name format: Unspecified
         Value: user.firstName
      2. Name: lastName
         Name format: Unspecified
         Value: user.lastName
      3. Name: email
         Name format: Unspecified
         Value: user.email
      4. Name: loginId
         Name format: Unspecified
         Value: user.login
8. In the Feedback step, select I'm an Okta customer adding an internal app and click the Finish button at the bottom.
9. After the Application is created, go to the General tab at the top and click the Edit button on the right of the App Settings menu.
10. Select SCIM for the Provisioning field and click the Save button.
11. Complete SSO integration by following Integrating with Okta | Setting QueryPie Application Integration Information in Okta and Integrating with Okta | Configuring Okta Integration and Synchronization in QueryPie, then proceed with the following steps.

Okta-QueryPie Provisioning integration

1. Go to the Provisioning tab of the SCIM App created in Okta.
2. Click the Edit button on the right of SCIM Connection and fill in the following values:
   1. SCIM connector base URL: Insert the SCIM Endpoint value retrieved from QueryPie.
   2. Unique identifier field for users: “userName”
   3. Supported provisioning action: Select all five of the following items:
      • Import New Users and Profile Updates
      • Push New Users
      • Push Profile Updates
      • Push Groups
      • Import Groups
   4. Authentication Mode: “HTTP Header”
   5. HTTP Header > Authorization: Insert the SCIM-specific access token value generated in QueryPie.
3. Click the Test Connector Configuration button to test the connection.
4. When a popup appears with the message “Connector configured successfully”, click the Close button.

5. Click the Save button at the bottom to save the connection settings.

Enable and verify SCIM API

1. Go to the To App screen in the Provisioning tab of the SCIM App created in Okta.
2. Click the Edit button on the right of Provisioning to App.
3. Enable the checkboxes for the following settings and click the Save button to save:
   1. Create Users: Add users to the app when they are assigned to the app.
   2. Update User Attributes: Apply user profile updates to the app when they occur.
   3. Deactivate Users: Deactivate users in the app when they are deactivated.
4. Click the Go to Profile Editor button under QueryPie SCIM App Attribute Mappings.
5. Click the Mappings button under Attributes.
6. Go to the tab labeled “Okta User to {App name you defined}” among the two tabs at the top of the popup.
7. Map the items according to your settings and click the Save Mappings button at the bottom.
8. Click the Apply updates now button at the bottom.

How to additionally synchronize some attributes

Some attribute items in the QueryPie profile, such as staticIp and macAddress, are not separately imported during SCIM Integration. These attributes are:

1. secondEmail
2. mobilePhone
3. postalAddress (It is added as “formatted” to comply with the SCIM schema, so you can map that item.)
4. staticIp (QueryPie-specific custom attribute)
5. macAddress (QueryPie-specific custom attribute)

If you need to sync these attribute information together, you can add Custom Attributes in IdP such as Okta and map them for synchronization.

[Example: Setting Custom Attributes in Okta]

1. Click Go to Profile Editor under Provisioning > To App in the SCIM app’s Provisioning tab.

2. Click the Add Attribute button.

3. Register a new attribute needed for synchronization.

1. Data type: Select string, same as in QueryPie.
2. Display name: Enter the attribute name to display in Okta.
3. Variable name & External name: Enter the variable name of the custom attribute to synchronize.
   • You can also check the variable names in the QueryPie user profile (shown in parentheses).

     

4. External namespace: Enter the following value.
   urn:ietf:params:scim:schemas:extension:querypie:2.0:User
5. Then click the Save or Save and Add Another button to save.
6. Then click the Mappings button.

1. Select the second tab (Okta → {APP}) at the top of the prompt.

2. Map the newly created Custom Attribute with the appropriate Attribute in IdP at the bottom and click the Save Mappings button to save the settings.

5. Then assign users to the app.

Verify user provisioning

1. Return to the SCIM app and assign users through the options of the Assign button in the Assignments tab.

1. Assign to People: Assign by individual users
2. Assign to Groups: Assign by user group
3. Return to the QueryPie app and go to Administrator > General > User Management > Users to verify that users have been pushed successfully.

Verify group provisioning

1. Return to the SCIM app and push groups through the options of the Push Groups button in the Push Groups tab.
   1. Find groups by name: Search by the group name to push and assign
   2. Find groups by rule: Define search rules to assign groups that match the conditions
2. Return to the QueryPie app and go to Administrator > General > User Management > Groups to verify that groups have been pushed successfully.