Okta Integration

QueryPie supports Okta integration, allowing you to synchronize users and groups from Okta to grant access and enforce policies. This integration provides a streamlined and convenient experience for your users while maintaining strict security policies. By integrating with Okta, QueryPie enhances the security, operational efficiency, and user experience of your databases and systems management ecosystem.

To implement SCIM provisioning integration, please follow the steps outlined in the [Okta] Provisioning Integration Steps.

Adding QueryPie as an Application in Okta

1. Access the Okta admin console after signing in with an admin account.

2. On the Okta admin page, in the left pane, go to Applications > Applications menu.

3. Click the Browse App Catalog button and search for QueryPie.

4. Select the QueryPie application catalog and click the Add Integration button.

5. After confirming that the Application Label is entered as QueryPie, click the Done button to add the application.

Setting Up a Profile Editor

1. In the left pane of the Okta admin console, navigate to Directory > Profile Editor.

2. Select 'QueryPie User' from the list of profiles.

3. In the Attributes settings, click the Add Attribute button.

4. On the Add Attribute screen, enter the following items in order, then save:

   1. Display name : firstName / Variable name : firstName Save and Add Another

   2. Display name : lastName / Variable name : lastName Save and Add Another

   3. Display name : email / Variable name : email Save and Add Another

   4. Display name : loginId / Variable name : loginId Save

5. Confirm that the four attributes have been added and click the Mappings button.

6. Associate the Okta User Profile Attribute entry with the Attribute in your QueryPie User Profile as shown below:

   1. user.firstName ↔︎ firstName

   2. user.lastName ↔︎ lastName

   3. user.email ↔︎ email

   4. user.email ↔︎ loginId (Use Okta's email entry as QueryPie's Login Id.)

7. Click Save Mappings.

Assigning Users to QueryPie Applications

1. On the Okta admin console, navigate to Applications > Applications menu.

2. Select the QueryPie application from the list.

3. Go to the Assignments tab and click the Assign button to select either Assign to People or Assign to Group.

4. Assign the users or groups you want to allow access to QueryPie using their Okta accounts, and then click the Done button.

   1. When assigning People, verify the user information and click the Save and Go Back button.

   2. When assigning the Group, leave the loginId field blank and click the Save and Go Back button.

5. You can view the history of users or groups that have been assigned to and added to your QueryPie application.

Setting Up QueryPie Application Integration Information in Okta

1. On the QueryPie application page within Okta, navigate to the Sign On tab.

2. In the Settings area, click the Edit button to enter the domain address where QueryPie is installed in the Base URL field, then save it.

3. Access the URL listed under Metadata URL and copy the XML information displayed.

Issuing Okta API Tokens with Minimal Permissions

To synchronize users, groups, and group memberships between QueryPie and Okta, you need to issue an Okta Admin API token. Typically, this involves issuing and applying an API token to your Okta Super Administrator/Read-Only Administrator account. Here's a general method to do so:

1. Access the Okta admin console after logging in with your Okta Super Administrator or Okta Read-Only Administrator account.

2. Navigate to the Security > API menu.

3. Within the API menu, go to the Tokens tab.

4. Click on the Create Token button to generate a new API token.

If you need to adjust your Okta API token to grant minimal permissions to improve security, we recommend creating an API token with the following permissions and methods:

1. Navigate to the Directory > People menu and click on Add Person to create an account for dedicated system integration.

   • If you already have an account enabled for QueryPie integration, skip this step.

2. Navigate to the Security > Administrators menu and go to the Roles tab.

3. Select Create new role.

4. Define a role name (e.g. MinimumAdminRole) and role description. In Select Permissions, check only the following permissions:

   1. User

      • View users and their details

   2. Group

      • View groups and their details

   3. Application

      • View application and their details

5. Click Save role to save the custom role.

6. Go to the Resources tab.

7. Select Create new resource set.

   • If you already have a resource set created for scoping permissions, skip this step and proceed to step 9.

8. Define a Name (e.g. MinimumResources) and Description. Specify the following ranges:

   1. User : Select all QueryPie users

   2. Group : Select all QueryPie usage groups

   3. Application : Limited to QueryPie apps

9. Press Create to save the resource set.

10. Go to the Admins tab and assign the following permissions to the account for the QueryPie integration:

    1. Role: MinimumAdminRole | Resource: MinimumResources

    2. Role: Read-Only Administrator

       • Temporarily grant API token for access to the Generate API Token menu

11. Authenticate and access the Okta Admin console with your QueryPie integration account.

12. In the Security > API menu, go to the Tokens tab.

13. Click the Create Token button to generate an authentication token.

14. Once the token is generated, go back to the admin account you initially worked with and edit the account for the integration on the Security > Administrators > Admins tab to regain Read-Only Administrator permissions.

Setting Up Okta Integration and Synchronization in QueryPie

1. In QueryPie, navigate to the Administrator > General > User Management > Authentication menu.

2. In the Authentication Type field, select Okta.

3. Paste the copied XML information into the Identity Provider Metadata field.

4. If you want to set up automatic synchronization, check Use Synchronization with the Authentication System.

   1. API URL: The url can be found in the form {domain}.okta.com by clicking on your profile in the top right corner of the Okta admin page.

   2. API Token: Enter the Okta Admin API token.

   3. Application ID: Enter if you use more than one QueryPie app in Okta.

5. If you want to use the automatic synchronization feature, set Scheduling in the Replication Frequency field.

6. Save Changes.

7. Click Synchronize to synchronize users in Okta with QueryPie.

How to Find Your Application ID

If you are using more than one QueryPie application, navigate to the Okta Admin Console > Applications and click your QueryPie app to view its details. In the URL of your browser’s address bar, you will find the Application ID as shown in the screenshot below.

Signing In With Okta

1. You can view synchronized users and groups in the Administrator > General > User Management > Users or Groups menu.

2. You can now sign in to QueryPie with your Okta account via the Login with Okta button on the login page.

Users and groups support one-way synchronization from Okta to QueryPie.

To implement SCIM provisioning integration, please follow the steps outlined in the [Okta] Provisioning Integration Steps.