Skip to main content
Skip table of contents

Okta Integration

QueryPie supports Okta integration, allowing you to synchronize users and groups from Okta to grant access and enforce policies. This integration provides a streamlined and convenient experience for your users while maintaining strict security policies. By integrating with Okta, QueryPie enhances the security, operational efficiency, and user experience of your databases and systems management ecosystem.

If you plan to implement SCIM provisioning integration, please proceed according to the procedures outlined in the [Okta] provisioning integration Steps. Note that if you simultaneously use the outbound user synchronization settings with the Okta API described below, it may impact user synchronization.

Adding QueryPie as an Application in Okta

image-20240723-064242.png

Okta Admin > Applications > Applications > Browse App Catalog > QueryPie Search

  1. Log in to the Okta admin console using an administrator account.

  2. Click your profile in the top-right corner and navigate to Your Org.

  3. From the left panel of the Okta Admin page, navigate to the Applications > Applications.

  4. Click the Browse App Catalog button and search for QueryPie.

  5. On the QueryPie application page, click the Add Integration button.

  6. Confirm that QueryPie is entered in the Application Label field, then click Donebutton to add the application.after signing in with an admin account.

Setting Up a Profile Editor

image-20240723-064424.png

Okta Admin > Directory > Profile Editor > QueryPie User > Add Attribute

  1. In the left pane of the Okta admin console, navigate to the Directory > Profile Editor.

  2. Select 'QueryPie User' from the list of profiles.

  3. In the Attributes settings, click the Add Attribute button.

  4. On the Add Attribute screen, enter the following items in order, then save:

    1. Display name : firstName / Variable name : firstName Save and Add Another

    2. Display name : lastName / Variable name : lastName Save and Add Another

    3. Display name : email / Variable name : email Save and Add Another

    4. Display name : loginId / Variable name : loginId Save

image-20240723-064721.png

Okta Admin > Directory > Profile Editor > QueryPie User > Mappings

  1. Confirm that the four attributes have been added and click the Mappings button.

  2. Associate the Okta User Profile Attribute entry with the Attribute in your QueryPie User Profile as shown below:

    1. user.firstName ↔︎ firstName

    2. user.lastName ↔︎ lastName

    3. user.email ↔︎ email

    4. user.email ↔︎ loginId (Use Okta's email entry as QueryPie's Login Id.)

  3. Click Save Mappings button.

Assigning Users to QueryPie Applications

image-20240723-065134.png

Okta Admin > Applications > Applications > QueryPie App

  1. On the Okta admin console, navigate to the Applications > Applications menu.

  2. Select the QueryPie application from the list.

  3. Go to the Assignments tab and click the Assign button to select either Assign to People or Assign to Group.

  4. Assign the users or groups you want to allow access to QueryPie using their Okta accounts, and then click the Done button.

    1. When assigning People, verify the user information and click the Save and Go Back button.

    2. When assigning the Group, leave the loginId field blank and click the Save and Go Back button.

  5. You can view the history of users or groups that have been assigned to and added to your QueryPie application.

Setting Up QueryPie Application Integration Information in Okta

image-20240723-065346.png

Okta Admin > Applications > Applications > QueryPie App

  1. On the QueryPie application page within Okta, navigate to the Sign On tab.

  2. In the Settings area, click the Edit button to enter the domain address where QueryPie is installed in the Base URL field, then save it.

  3. Access the URL listed under Metadata URL and copy the XML information displayed.

Issuing Okta API Tokens with Minimal Permissions

To synchronize users, groups, and group memberships between QueryPie and Okta, you need to issue an Okta Admin API token. Typically, this can be done by using an Okta Super Administrator or Read-Only Administrator account to generate and apply the API token as follows:

  1. Navigate to the Security > API in the left panel of the Okta Admin page.

  2. Go to the Tokens tab under the API menu.

  3. Click the Create Token button to generate an authentication token.

However, for enhanced security, it is recommended to minimize permissions for the Okta API token. If this is required, follow the permissions and methods outlined below to generate the token.

image-20240110-042233.png

Okta Admin Console > Security > Administrators > Roles > Create new role

  1. Navigate to the Directory > People menu and click on Add Person to create an account for dedicated system integration.

    • If you already have an account enabled for QueryPie integration, skip this step.

  2. Navigate to the Security > Administrators menu and go to the Roles tab.

  3. Select Create new role.

  4. Define a role name (e.g. MinimumAdminRole) and role description. In Select Permissions, check only the following permissions:

    1. User

      • View users and their details

    2. Group

      • View groups and their details

    3. Application

      • View application and their details

  5. Click Save role to save the custom role.

  6. Go to the Resources tab.

  7. Select Create new resource set.

    • If you already have a resource set created for scoping permissions, skip this step and proceed to step 10.

  8. Define a Name (e.g. MinimumResources) and Description. Specify the following ranges:

    1. User : Select all QueryPie users

    2. Group : Select all QueryPie usage groups

    3. Application : Limited to QueryPie apps

  9. Press Create to save the resource set.

  10. Go to the Admins tab and assign the following permissions to the account for the QueryPie integration:

    1. Role: MinimumAdminRole | Resource: MinimumResources

    2. Role: Read-Only Administrator

      • Temporarily grant API token for access to the Generate API Token menu

  11. Authenticate and access the Okta Admin console with your QueryPie integration account.

  12. In the Security > API menu, go to the Tokens tab.

  13. Click the Create Token button to generate an authentication token.

  14. Once the token is generated, go back to the admin account you initially worked with and edit the account for the integration on the Security > Administrators > Admins tab to regain Read-Only Administrator permissions.

Setting Up Okta Integration and Synchronization in QueryPie

image-20240723-070254.png

Administrator > General > User Management > Authentication

  1. In QueryPie, navigate to the Administrator > General > User Management > Authentication menu.

  2. In the Authentication Type field, select Okta.

  3. Paste the copied XML information into the Identity Provider Metadata field.

  4. If you want to set up automatic synchronization, check Use Synchronization with the Authentication System.

    1. API URL: The url can be found in the form {domain}.okta.com by clicking on your profile in the top right corner of the Okta admin page.

    2. API Token: Enter the Okta Admin API token.

    3. Application ID: Enter if you use more than one QueryPie app in Okta.

  5. To enable the automatic synchronization feature, configure the Scheduling option under Replication Frequency.

  6. Click the Dry Run button to verify that the integration information has been entered correctly.

  7. Save the configuration by clicking Save Changes.

  8. Finally, click the Synchronize button to sync users from Okta.

How to Find Your Application ID

If you are using more than one QueryPie application, navigate to the Okta Admin Console > Applications and click your QueryPie app to view its details. In the URL of your browser’s address bar, you will find the Application ID as shown in the screenshot below.

Okta Admin > Applications > QueryPie App URL

Signing In With Okta

  1. You can view synchronized users and groups in the Administrator > General > User Management > Users or Groups menu.

  2. You can now sign in to QueryPie with your Okta account via the Login with Okta button on the login page.

image-20240723-070449.png

Users and groups support one-way synchronization from Okta to QueryPie.

To implement SCIM provisioning integration, please follow the steps outlined in the [Okta] Provisioning Integration Steps.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.