Skip to main content
Skip table of contents

Okta Integration

QueryPie supports Okta integration, allowing you to synchronize users and groups from Okta to grant access and enforce policies. This integration provides a streamlined and convenient experience for your users while maintaining strict security policies. By integrating with Okta, QueryPie enhances the security, operational efficiency, and user experience of your databases and systems management ecosystem.

Add QueryPie as an Application in Okta

Okta Admin Console > Applications > Applications > Browse App Catalog > QueryPie Search

  1. Access the Okta admin console after signing in with an admin account.

  2. On the Okta admin page, in the left pane, go to Applications > Applications menu.

  3. Click the Browse App Catalog button and search for QueryPie.

  4. Select the QueryPie application catalog and click the Add Integration button.

  5. After confirming that the Application Label is entered as QueryPie, click the Done button to add the application.

Set Up a Profile Editor

Okta Admin Console > Directory > Profile Editor

  1. In the left pane of the Okta admin console, navigate to Directory > Profile Editor.

  2. Select 'QueryPie User' from the list of profiles.

  3. In the Attributes settings, click the Add Attribute button.

  4. On the Add Attribute screen, enter the following items in order, then save:

    1. Display name : firstName / Variable name : firstName Save and Add Another

    2. Display name : lastName / Variable name : lastName Save and Add Another

    3. Display name : email / Variable name : email Save and Add Another

    4. Display name : loginId / Variable name : loginId Save

Okta Admin Console > Directory > Profile Editor

  1. Confirm that the four attributes have been added and click the Mappings button.

  2. Associate the Okta User Profile Attribute entry with the Attribute in your QueryPie User Profile as shown below:

    1. user.firstName ↔︎ firstName

    2. user.lastName ↔︎ lastName

    3. user.email ↔︎ email

    4. user.email ↔︎ loginId (Use Okta's email entry as QueryPie's Login Id.)

  3. Save Mappings.

Assign Users to QueryPie Applications

Okta Admin Console > Applications > Applications > QueryPie App

  1. On the Okta admin console, navigate to Applications > Applications menu.

  2. Select the QueryPie application from the list.

  3. Go to the Assignments tab and click the Assign button to select either Assign to People or Assign to Group.

  4. Assign the users or groups you want to allow access to QueryPie using their Okta accounts, and then click the Done button.

    1. When assigning People, verify the user information and click the Save and Go Back button.

    2. When assigning the Group, leave the loginId field blank and click the Save and Go Back button.

  5. You can view the history of users or groups that have been assigned to and added to your QueryPie application.

Set Up QueryPie Application Integration Information in Okta

Okta Admin Console > Applications > Applications > QueryPie App

  1. On the QueryPie application page within Okta, navigate to the Sign On tab.

  2. In the Settings area, click the Edit button to enter the domain address where QueryPie is installed in the Base URL field, then save it.

  3. In the SAML Signing Certificates area, click the Generate new certificate button to generate one. (or use the existing certificate by clicking Actions > View IdP metadata)

  4. In the Actions section, click View IdP Metadata, then copy the XML information that appears in the new window.

Issue Okta API Tokens with Minimal Permissions

To synchronize users, groups, and group memberships between QueryPie and Okta, you need to issue an Okta Admin API token. Typically, this involves issuing and applying an API token to your Okta Super Administrator/Read-Only Administrator account. Here's a general method to do so:

  1. Access the Okta admin console after logging in with your Okta Super Administrator or Okta Read-Only Administrator account.

  2. Navigate to the Security > API menu.

  3. Within the API menu, go to the Tokens tab.

  4. Click on the Create Token button to generate a new API token.

If you need to adjust your Okta API token to grant minimal permissions to improve security, we recommend creating an API token with the following permissions and methods:

image-20240110-042233.png

Okta Admin Console > Security > Administrators > Roles > Create new role

  1. Navigate to the Directory > People menu and click on Add Person to create an account for dedicated system integration.

    • If you already have an account enabled for QueryPie integration, skip this step.

  2. Navigate to the Security > Administrators menu and go to the Roles tab.

  3. Select Create new role.

  4. Define a role name (e.g. MinimumAdminRole) and role description. In Select Permissions, check only the following permissions:

    1. User

      • View users and their details

    2. Group

      • View groups and their details

    3. Application

      • View application and their details

  5. Click Save role to save the custom role.

  6. Go to the Resources tab.

  7. Select Create new resource set.

    • If you already have a resource set created for scoping permissions, skip this step and proceed to step 9.

  8. Define a Name (e.g. MinimumResources) and Description. Specify the following ranges and press Create:

    1. User : Select all QueryPie users

    2. Group : Select all QueryPie usage groups

    3. Application : Limited to QueryPie apps

  9. Go to the Admins tab and assign the following permissions to the account for the QueryPie integration:

    1. Role: MinimumAdminRole | Resource: MinimumResources

    2. Role: Read-Only Administrator

      • Temporarily grant API token for access to the Generate API Token menu

  10. Authenticate and access the Okta Admin console with your QueryPie integration account.

  11. In the Security > API menu, go to the Tokens tab.

  12. Click the Create Token button to generate an authentication token.

  13. Once the token is generated, go back to the admin account you initially worked with and edit the account for the integration on the Security > Administrators > Admins tab to regain Read-Only Administrator permissions.

Set Up Okta Integration and Synchronization in QueryPie

General Settings > User Management > Authentication

  1. In QueryPie, navigate to the General Settings > User Management > Authentication menu.

  2. In the Authentication Type field, select Okta.

  3. Paste the copied XML information into the Identity Provider Metadata field.

  4. If you want to set up automatic synchronization, check Use Synchronization with the Authentication System.

    1. API URL: The url can be found in the form {domain}.okta.com by clicking on your profile in the top right corner of the Okta admin page.

    2. API Token: Enter the Okta Admin API token.

    3. Application ID: Enter if you use more than one QueryPie app in Okta.

  5. If you want to use the automatic synchronization feature, set Scheduling in the Replication Frequency field.

  6. Save Changes.

  7. Click Synchronize to synchronize users in Okta with QueryPie.

How to Find Your Application ID

If you are using more than one QueryPie application, navigate to the Okta Admin Console > Applications and click your QueryPie app to view its details. In the URL of your browser’s address bar, you will find the Application ID as shown in the screenshot below.

Okta Admin Console > Applications > QueryPie App URL

Sign In With Okta

  1. You can view synchronized users and groups in the General Settings > Users or Groups menu.

  2. You can now sign in to QueryPie with your Okta account via the Login with Okta button on the login page.

Users and groups support one-way synchronization from Okta to QueryPie. Synchronized users and groups cannot be modified or deleted within QueryPie.

Related Topics

 

Back to SSO Integration

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close