Okta Integration
QueryPie supports Okta integration, allowing you to synchronize users and groups from Okta to grant access and enforce policies. This integration provides a streamlined and convenient experience for your users while maintaining strict security policies. By integrating with Okta, QueryPie enhances the security, operational efficiency, and user experience of your databases and systems management ecosystem.
If you plan to implement SCIM provisioning integration, please proceed according to the procedures outlined in the [Okta] provisioning integration Steps. Note that if you simultaneously use the outbound user synchronization settings with the Okta API described below, it may impact user synchronization.
Adding QueryPie as an Application in Okta
Log in to the Okta admin console using an administrator account.
Click your profile in the top-right corner and navigate to Your Org.
From the left panel of the Okta Admin page, navigate to the Applications > Applications.
Click the
Browse App Catalog
button and search for QueryPie.On the QueryPie application page, click the
Add Integration
button.Confirm that QueryPie is entered in the Application Label field, then click
Done
button to add the application.after signing in with an admin account.
Setting Up a Profile Editor
In the left pane of the Okta admin console, navigate to the Directory > Profile Editor.
Select 'QueryPie User' from the list of profiles.
In the Attributes settings, click the
Add Attribute
button.On the Add Attribute screen, enter the following items in order, then save:
Display name : firstName / Variable name : firstName
Save and Add Another
Display name : lastName / Variable name : lastName
Save and Add Another
Display name : email / Variable name : email
Save and Add Another
Display name : loginId / Variable name : loginId
Save
Confirm that the four attributes have been added and click the
Mappings
button.Associate the Okta User Profile Attribute entry with the Attribute in your QueryPie User Profile as shown below:
user.firstName ↔︎ firstName
user.lastName ↔︎ lastName
user.email ↔︎ email
user.email ↔︎ loginId (Use Okta's email entry as QueryPie's Login Id.)
Click
Save Mappings
button.
Assigning Users to QueryPie Applications
On the Okta admin console, navigate to the Applications > Applications menu.
Select the QueryPie application from the list.
Go to the Assignments tab and click the
Assign
button to select eitherAssign to People
orAssign to Group
.Assign the users or groups you want to allow access to QueryPie using their Okta accounts, and then click the
Done
button.When assigning People, verify the user information and click the
Save and Go Back
button.When assigning the Group, leave the loginId field blank and click the
Save and Go Back
button.
You can view the history of users or groups that have been assigned to and added to your QueryPie application.
Setting Up QueryPie Application Integration Information in Okta
On the QueryPie application page within Okta, navigate to the Sign On tab.
In the Settings area, click the
Edit
button to enter the domain address where QueryPie is installed in the Base URL field, then save it.Access the URL listed under Metadata URL and copy the XML information displayed.
Issuing Okta API Tokens with Minimal Permissions
To synchronize users, groups, and group memberships between QueryPie and Okta, you need to issue an Okta Admin API token. Typically, this can be done by using an Okta Super Administrator or Read-Only Administrator account to generate and apply the API token as follows:
Navigate to the Security > API in the left panel of the Okta Admin page.
Go to the Tokens tab under the API menu.
Click the
Create Token
button to generate an authentication token.
However, for enhanced security, it is recommended to minimize permissions for the Okta API token. If this is required, follow the permissions and methods outlined below to generate the token.
Navigate to the Directory > People menu and click on
Add Person
to create an account for dedicated system integration.If you already have an account enabled for QueryPie integration, skip this step.
Navigate to the Security > Administrators menu and go to the Roles tab.
Select
Create new role
.Define a role name (e.g. MinimumAdminRole) and role description. In Select Permissions, check only the following permissions:
User
View users and their details
Group
View groups and their details
Application
View application and their details
Click
Save role
to save the custom role.Go to the Resources tab.
Select
Create new resource set
.If you already have a resource set created for scoping permissions, skip this step and proceed to step 10.
Define a Name (e.g. MinimumResources) and Description. Specify the following ranges:
User : Select all QueryPie users
Group : Select all QueryPie usage groups
Application : Limited to QueryPie apps
Press
Create
to save the resource set.Go to the Admins tab and assign the following permissions to the account for the QueryPie integration:
Role: MinimumAdminRole | Resource: MinimumResources
Role: Read-Only Administrator
Temporarily grant API token for access to the Generate API Token menu
Authenticate and access the Okta Admin console with your QueryPie integration account.
In the Security > API menu, go to the Tokens tab.
Click the
Create Token
button to generate an authentication token.Once the token is generated, go back to the admin account you initially worked with and edit the account for the integration on the Security > Administrators > Admins tab to regain Read-Only Administrator permissions.
Setting Up Okta Integration and Synchronization in QueryPie
In QueryPie, navigate to the Administrator > General > User Management > Authentication menu.
In the Authentication Type field, select Okta.
Paste the copied XML information into the Identity Provider Metadata field.
If you want to set up automatic synchronization, check
Use Synchronization with the Authentication System
.API URL: The url can be found in the form {domain}.okta.com by clicking on your profile in the top right corner of the Okta admin page.
API Token: Enter the Okta Admin API token.
Application ID: Enter if you use more than one QueryPie app in Okta.
To enable the automatic synchronization feature, configure the Scheduling option under Replication Frequency.
Click the
Dry Run
button to verify that the integration information has been entered correctly.Save the configuration by clicking Save Changes.
Finally, click the
Synchronize
button to sync users from Okta.
How to Find Your Application ID
If you are using more than one QueryPie application, navigate to the Okta Admin Console > Applications and click your QueryPie app to view its details. In the URL of your browser’s address bar, you will find the Application ID as shown in the screenshot below.
Signing In With Okta
You can view synchronized users and groups in the Administrator > General > User Management > Users or Groups menu.
You can now sign in to QueryPie with your Okta account via the
Login with Okta
button on the login page.
Users and groups support one-way synchronization from Okta to QueryPie.
To implement SCIM provisioning integration, please follow the steps outlined in the [Okta] Provisioning Integration Steps.