You can translate the document:

Introduction

In this document you will learn how to:

 

  • Configure your Okta account to be able to use it as an Identity Provider (IdP) to perform authentication against a REST web service published in Denodo Virtual DataPort (VDP):

  • Create a user in Okta.

  • Create a group.

  • Register the Web Service as a SAML application.

  • Configure the Denodo Virtual DataPort server with the SAML configuration.

  • Configure the REST web service to use SAML as the authentication protocol.

Summary of the Process

This is what this document describes:

  • In Okta:

  • Create a user.

  • Create a group and assign it to the user.

  • Register the Denodo web service as a SAML application.

  • In the Denodo Virtual DataPort:

  • Enable SAML authentication at the server level.

  • Create a role with the same name as the group you have created in Okta.

  • Grant privileges to this new role.

  • Configure the web service to use SAML as the authentication protocol.

Once this is completed, a URL to access the web service has to be constructed based on which the data will be retrieved.

In this article, a SAML assertion will be used to perform the authorization. A SAML assertion usually includes the groups to which this user account belongs; that is, the user account associated with this assertion. When the Denodo VDP server receives the assertion, it searches the roles defined in the server that have the same name. The privileges granted to these roles will be the privileges of this user. Note that not all the privileges defined in the assertion have to exist in the Virtual DataPort server.

Okta Configuration

Create an Okta Developer account. If you already have your own, you can use it as well.

Create a User in Okta

  1. Log in to Okta as the admin user.

  1. Click on Directory > People. Then click on Add Person and in this form, enter the details of the new user. Let’s say: jsmith@acme.com.

  1. From a private window or another browser, log in as this user to initialize this new account.

Okta Groups

Groups are used for authorization on third-party applications. There are different types of groups in Okta:

  • Native

  • Active Directory

  • LDAP

  • Application

See the official documentation for more information.

In this document, we are going to create a Native group because it is the more basic configuration. In a “real-world” scenario, customers may have different types of groups defined, which they may have imported from Active Directory.

To create a native group, log in to your Okta Admin Console and click on Directory > Groups > Add Group.

For example, create the group ‘developer’.

Assign Groups to a User

To assign a group to a user, do the following:

  1. On the Administration Console, go to Directory > People.

  1. Click on the user and on the tab Groups and then, type the name of the group (developer) to assign it to the user.

Single Sign-On with SAML

In Okta, a new application of type SAML has to be created.

  1. Login in Okta as the admin user.
  2. Click on Applications > Applications.
  3. Click on Create App Integration.

  1. Select SAML 2.0 as Sign-in method.

  1. Set the App name and App visibility as follows

  1. Click on Next.

SAML Settings

Enter the following:

  • Single sign on URL: base URL of the web service. If a web service created in Denodo VDP is named "actor" in the "admin" database, the URL would look like the following (make sure to include the final forward slash in Okta):

 For example:


        http://localhost:9090/server/admin/actor/

  • Audience URI (SP Entity ID): this will be the Service Provider Identifier of this application. You will use this value later, in the web service configuration. For example:  


        test

Attribute Statements

Add attribute statements to expose user profile values on the SAML assertion (optional).

Group Attribute Statements

Special attribute statements to expose the user groups. The groups may be filtered, use .* as regex to retrieve all the groups assigned to the logged user.

Assign users to Application

After registering the SAML app, go to the Assignments tab.

Go to the Assign > Assign to People menu.

Assign the test user.

Click on Save and Go Back.

Configuration in the Denodo Virtual DataPort Server

Log into the Virtual DataPort server as Administrator user via Design Studio and navigate to Administration > Server Configuration > Security > SAML and enable the configuration.

Enter the details as follows:

Identity provider metadata URL - use the metadata URL from your SAML application created in Okta.

Service provider URL base - this should point to the Virtual DataPort server's web container:

http<s>://<server_hostname>:<tomcat_port(9090 or 9443)>/

Role configuration - In the case that roles are extracted from the assertion, provide the name of the Group Attribute Statement in the SAML application. Otherwise, if LDAP is used, you will need to specify an LDAP configuration that can find groups associated with the user passed by the SAML assertion. Additionally, make sure that the role that will be assigned to your SAML sessions is created, and has permissions to access the web service and execute the underlying views.

To enable SAML Authentication for the REST web service, open the web service in Design Studio and navigate to Edit > Settings > Authentication tab and choose the Authentication as SAML 2.0.


Provide the Service provider ID similar to the SP Entity ID defined in the Okta SAML application.

Save the web service and redeploy the element such that the above changes are reflected.

Finally, to invoke the SAML configured web services,  build a URL to send a request to the identity provider (IdP), not the REST service. This URL has to include the service you want to query. Generic example for Okta based authentication:

https://<okta_domain>/app/<app_path>/sso/saml?RelayState=views%2Fview_2

Note that the relative path related to the RelayState has to be passed in base64 encoded format.

URL like below will help to access the web service:

https://dev-###.okta.com/app/dev-###_denodosamlws_1/exkmd7/sso/saml?RelayState=views%2Factor

References

Invoking Denodo Web Services

How To Configure Okta for Single Sign-On in Denodo Solution Manager

Disclaimer
The information provided in the Denodo Knowledge Base is intended to assist our users in advanced uses of Denodo. Please note that the results from the application of processes and configurations detailed in these documents may vary depending on your specific environment. Use them at your own discretion.
For an official guide of supported features, please refer to the User Manuals. For questions on critical systems or complex environments we recommend you to contact your Denodo Customer Success Manager.
Recommendation

Questions

Ask a question

You must sign in to ask a question. If you do not have an account, you can register here