1 of 4

Okta

Okta and LDAP

Audience: Application Admins
Content Summary: This page explains what the Okta LDAP Interface is and the set up process.

Introduction

Okta LDAP Interface is a built-in Okta integration that enables you to expose your Okta directory over standard LDAP wire. The Okta LDAP Interface exposes the entire Okta directory.

The LDAP interface is not an isolated application

This means that you cannot manage the assignment of users and groups to the LDAP Interface the same way you would in a web application. Instead, you should be able to leverage LDAP filters to moderate access to applications that call the LDAP Interface (i.e., filtering user attributes and groups.)

1 - Enable LDAP Interface in Your Okta Account

Go to the Admin Console in your Okta account.
Select Directory, and then click Directory Integrations.
Select Add Directory and Add LDAP Interface. You will be presented with the details required to make a successful LDAP connection.

Best Practice: Create a Service Account

Create a service account to use as your LDAP bind user; any Okta admin with the "view users" permission can serve the role. Choose the Read-Only Admin to grant the least privilege.

2 - Set Up Query Engine Authentication with the LDAP Interface

Configure your IAM in Immuta.
1. Navigate to the App Settings page in Immuta.
2. Click the Add IAM button.
3. Complete the Display Name field and select your IAM type from the Identity Provider Type dropdown: LDAP/Active Directory, SAML, or OpenID.
  For a tutorial on setting up an Okta IAM see the .
Follow these parameters to set up the Query Engine with LDAP ():
Parameter in pg_hba.conf Example value
In a Kubernetes deployment with the Immuta Helm Chart, you will need to add an entry to queryEngine.clientPgHBARules. Here’s an example of a possible pg_hba.conf entry to add to your Helm values YAML file (notice the placeholders):

3 - Configure MFA in Okta

To enforce directory-wide MFA, create an authentication policy in Okta (if you do not yet have MFA policies in place).

Navigate to Security in the Okta Admin console.
Select Authentication, and then click Sign On.
Note: If you enforce MFA on the user that’s configured as your LDAP bind user, the integration won’t work. You will therefore need to make that user exempt in your MFA policies.

Okta and OpenID Connect

Audience: Application Admins
Content Summary: This page outlines the requirements and process for adding OpenID Connect as your IAM in Immuta.

Requirements

Administrator account in Okta.

Supported Features

Immuta's OpenID Connect integration supports the following features

Service Provider (SP)-Initiated Authentication (SSO) Flow
Identity Provider (IDP)-Initiated Authentication (SSO) Flow

Configuration Steps

1 - Add the Immuta Application in Okta

Log in to Okta as an Admin, navigate to the Applications tab, and click Add Application.
Search for Immuta in the search bar and click Add.
Choose a name for your integration and click Next. Then select the OpenID Connect button.
Scroll down and enter the Base URL for your Immuta instance.
Enter the IAM ID for your Immuta OIDC integration (if you have not created an IAM ID, you will complete that step in the next section).
Click Done and once the page reloads, navigate back to the Sign On tab and copy down the Client ID and Client secret.

2 - Add OpenID Connect in Immuta

Log in to Immuta and click the App Settings icon in the left sidebar.
Click the Add IAM button and enter a Display Name.
Select OpenID from the Identity Provider Type dropdown menu.
If required, navigate back to Okta and enter the IAM ID below the Base URL then complete the steps from the Okta section.

3 - Configure OpenID Connect

In the Identity Management section of the Immuta console, enter the Client ID and Client Secret you copied from Okta in the previous section.
Enter the following URL in the Discover URL field: https://<your_okta_workspace.com>/.well-known/openid-configuration.
Opt to add additional Scopes.
Opt to Enable SCIM support for OpenID by clicking the checkbox, which will generate a SCIM API Key.
In the Profile Schema section, map attributes in OpenID to automatically fill in a user's Immuta profile. Note: Fields that you specify in this schema will not be editable by users within Immuta.
Opt to Allow Identity Provider Initiated Single Sign On to use the IDP-Initiated SSO feature by selecting the checkbox.
Opt to Migrate Users from another IAM by selecting the checkbox.

4 - Test Connection and Save Configuration

Click the Test Connection button.
Once the connection is successful, click the Test User Login button.
Click Save.

Integrate Okta SAML SCIM with Immuta

Requirements

An Immuta instance with version 2020.4 or higher is required to use Immuta's SCIM 2.0 feature.
Users have to be an administrator in Okta to edit or add applications.

Supported Features

The following Okta provisioning features are supported by Immuta:

Import Users from Okta: Okta users who had previously been assigned to an Okta application can be imported to your Immuta instance.
Push Users to Immuta: Okta users who are assigned to the Immuta application in Okta are automatically added as members to your Immuta instance.
Deactivate Users in Immuta: Okta users who are unassigned from the Immuta application in Okta or are deleted or deactivated from Okta are automatically deactivated in your Immuta instance.
Push Groups to Immuta: Groups and their members in Okta can be pushed to your Immuta instance.
Remove Groups from Immuta: Groups in Okta are removed from your Immuta instance when they are no longer mapped to your Immuta application in Okta.
Map User Attributes from Okta to Immuta: You can map user attributes between Okta and your Immuta instance. The mapping will remain synced by detecting profile changes in Okta.

Configuration Instructions

1 - Add SAML Application in Okta

Log in to your Okta instance and click Applications in the menu in the left pane.
Click Browse App Catalog, and then search for and select Immuta.
Click Add.
In General Settings, opt to change the Application label. Then, click Next.
Click View Setup Instructions and complete the tutorial to configure the IAM in Immuta. Note: You will complete all steps outlined for the Immuta App Settings page except Test User Login. You cannot test the login or save the IAM configuration in Immuta until you have added yourself as a user to the application in Okta. These steps are outlined in the next section.
In the Okta console under Advanced Sign-on Settings, fill in the following fields.
- Base URL (typically your Immuta instance URL)
- IAM ID (found on the Immuta App Settings page)
Click Done.

2 - Add a User to the Application

Click the Assignments tab.
Click Assign and then Assign to People.
Enter your name in the search field to filter results, and then click Assign.
Click Save and Go Back, and then click Done.
Return to the Immuta console and click Test User Login. Once this test passes, click Save.

3 - Configure Immuta to Use SCIM External IAM

Navigate to the App Settings page in Immuta, and click the Add IAM button.
Complete the Display Name field and select SAML as your IAM type from the Identity Provider Type dropdown.
Adjust Default Permissions granted to users by selecting from the list in this dropdown menu, and then complete the required fields in the Client Options section.
Enable SCIM support for SAML by clicking the checkbox, which will generate a SCIM API Key.
In the Profile Schema section, map attributes in SAML to automatically fill in a user's Immuta profile. Note: Fields that you specify in this schema will not be editable by users within Immuta.
Enable Sync groups from SAML to Immuta and Sync attributes from SAML to Immuta by selecting the checkboxes, and then click the Test Connection button.
Once the connection is successful, click the Test User Login button.
Before you save the configuration, store the SCIM information that displays on the Immuta App Settings page, as it will be used in subsequent steps.

4 - Update Existing Okta Application to Enable SCIM

In Okta, navigate to your application and click the Provisioning tab.
Click Configure API Integration and then select the Enable API integration checkbox.
Fill in the following fields:
- Base URL (found on the Immuta App Settings page as SCIM URL)
- API Token (found on the Immuta App Settings page as SCIM Api Key)
Click Test API Credentials.
Once that test passes, click Save.
You will automatically navigate to the Provisioning tab. To make sure everything syncs as expected, select To App in the Settings pane, click Edit, and enable the following fields:
- Create Users
- Update User Attributes
- Deactivate Users
Click Save.

Syncing Current Users in Okta

Once SCIM is enabled in Okta, it only works for changes in Okta going forward. To get your current users to sync, navigate to the Assignment tab and click Provision User in Okta. Existing users (or any new users you add/remove) should now display in Immuta under this external IAM.

Known Issues and Limitations

Using the same group to assign users to Okta (groups added to the Okta Assignments tab) and to push groups and users to Immuta (groups added to the Okta Push Groups tab) is not supported. See the Okta troubleshooting guide for details.
The Okta directory cannot be synced with Immuta's internal IAM (BIM). You must configure an external IAM in Immuta to push users and groups from Okta to Immuta.
You should create a new Immuta IAM and a new Okta application for Immuta to set up the provisioning. An existing setup can cause discrepancies between the Okta directory and the app, leading to syncing failures.
When making a GET request for a user, there are extra attributes in the response.

Additional Tutorials

Add Users in Okta SCIM

Navigate to your application in Okta and click the Assignments tab.
Click Assign and then Assign to People.
Enter the name of the user you would like to add in the search field and click Assign.
Click Save and Go Back, and then click Done.

The user has been added to your application in Okta and displays as a user in Immuta under this external IAM.

Remove Users from Okta SCIM

Click the delete icon next to the user you want to remove.
When prompted to make sure you want to delete this user, click OK.

This user is removed from your application in Okta and displays as disabled in Immuta under this external IAM.

Syncing Groups with Okta SCIM

Groups will automatically sync in Immuta for any users added to the SCIM application if

Push Groups in Okta is enabled
Sync Groups is enabled in Immuta

Add Users to Groups

In Okta, navigate to your application and click on the Assignments tab.
Click on the name of the user whose groups you want to update.
Click on the Groups tab.
To add a new group, start to type the name of an existing group in the search field, and when it displays, click Add.

This group has been added to the user in Okta. It will also automatically appear in Immuta for the same user.

Remove Users from Groups

In Okta, navigate to your application and click the Assignments tab.
Click the name of the user whose groups you want to update, and then navigate to the Groups tab.
Click the delete icon next to the group you want to remove for this user.

This group has been removed from the user in Okta, and it will automatically be removed from this user in Immuta.

Add Attributes to Users

In Okta, navigate to your application and click To App on the Provisioning tab.
Click the Go to Profile Editor button.
Click Add Attribute and fill in the following fields:
- Data type (defaults to string).
- Display name.
- Variable name.
- External namespace. This field has to be formatted using a special schema format (e.g., urn:ietf:params:scim:schemas:extension:enterprise:2.0:DEMOEXT). Copy this information; you will need it for Immuta configuration.
Click Save.

By default, the value for this attribute is empty. Follow the Adding Attribute Values section to add values.

Update the SCIM Attribute Schema in Immuta

In Immuta, navigate to the App Settings page and edit your SCIM configuration.
Scroll to the Attribute Schema section under Sync Attributes.
Click Add Attribute and complete the following fields:
- SCIM Schema: <found on the Okta SCIM attribute page (in the previous section)>
- IAM Immuta Attribute Prefix: this can be anything you want
Click Test Connection and then Test User.
Save your changes.

Add Attribute Values

After adding attributes to users and updating the SCIM Attribute Schema in Immuta,

In Okta, navigate to the Assignments tab for your application and click the edit icon next to the user you want to update attributes for.
Scroll to the attribute you created and add a value in the textbox.
Save your changes.

Now that this attribute has been added to the user in Okta, it will automatically appear in Immuta for the same user.

Sync External Usernames with Okta SCIM in Immuta

Syncing External Usernames

You must configure a SCIM application and enable sync attributes before syncing external usernames.

In Immuta, navigate to your Okta SCIM configuration on the App Settings page.
Under Sync attributes from SAML to Immuta, add an attribute for the field you would like to map to an external username.
Copy and paste the resulting attribute for the desired external username.
Click Test Connection and then Test User.
Save your changes.

Integrate Okta SAML SCIM with Immuta

Requirements

An Immuta instance with version 2020.4 or higher is required to use Immuta's SCIM 2.0 feature.
Users have to be an administrator in Okta to edit or add applications.

Supported Features

The following Okta provisioning features are supported by Immuta:

Import Users from Okta: Okta users who had previously been assigned to an Okta application can be imported to your Immuta instance.
Push Users to Immuta: Okta users who are assigned to the Immuta application in Okta are automatically added as members to your Immuta instance.
Deactivate Users in Immuta: Okta users who are unassigned from the Immuta application in Okta or are deleted or deactivated from Okta are automatically deactivated in your Immuta instance.
Push Groups to Immuta: Groups and their members in Okta can be pushed to your Immuta instance.
Remove Groups from Immuta: Groups in Okta are removed from your Immuta instance when they are no longer mapped to your Immuta application in Okta.
Map User Attributes from Okta to Immuta: You can map user attributes between Okta and your Immuta instance. The mapping will remain synced by detecting profile changes in Okta.

Configuration Instructions

1 - Add SAML Application in Okta

Log in to your Okta instance and click Applications in the menu in the left pane.
Click Browse App Catalog, and then search for and select Immuta.
Click Add.
In General Settings, opt to change the Application label. Then, click Next.
Click View Setup Instructions and complete the tutorial to configure the IAM in Immuta. Note: You will complete all steps outlined for the Immuta App Settings page except Test User Login. You cannot test the login or save the IAM configuration in Immuta until you have added yourself as a user to the application in Okta. These steps are outlined in the next section.
In the Okta console under Advanced Sign-on Settings, fill in the following fields.
- Base URL (typically your Immuta instance URL)
- IAM ID (found on the Immuta App Settings page)
Click Done.

2 - Add a User to the Application

Click the Assignments tab.
Click Assign and then Assign to People.
Enter your name in the search field to filter results, and then click Assign.
Click Save and Go Back, and then click Done.
Return to the Immuta console and click Test User Login. Once this test passes, click Save.

3 - Configure Immuta to Use SCIM External IAM

Navigate to the App Settings page in Immuta, and click the Add IAM button.
Complete the Display Name field and select SAML as your IAM type from the Identity Provider Type dropdown.
Adjust Default Permissions granted to users by selecting from the list in this dropdown menu, and then complete the required fields in the Client Options section.
Enable SCIM support for SAML by clicking the checkbox, which will generate a SCIM API Key.
In the Profile Schema section, map attributes in SAML to automatically fill in a user's Immuta profile. Note: Fields that you specify in this schema will not be editable by users within Immuta.
Enable Sync groups from SAML to Immuta and Sync attributes from SAML to Immuta by selecting the checkboxes, and then click the Test Connection button.
Once the connection is successful, click the Test User Login button.
Before you save the configuration, store the SCIM information that displays on the Immuta App Settings page, as it will be used in subsequent steps.

4 - Update Existing Okta Application to Enable SCIM

In Okta, navigate to your application and click the Provisioning tab.
Click Configure API Integration and then select the Enable API integration checkbox.
Fill in the following fields:
- Base URL (found on the Immuta App Settings page as SCIM URL)
- API Token (found on the Immuta App Settings page as SCIM Api Key)
Click Test API Credentials.
Once that test passes, click Save.
You will automatically navigate to the Provisioning tab. To make sure everything syncs as expected, select To App in the Settings pane, click Edit, and enable the following fields:
- Create Users
- Update User Attributes
- Deactivate Users
Click Save.

Syncing Current Users in Okta

Known Issues and Limitations

Using the same group to assign users to Okta (groups added to the Okta Assignments tab) and to push groups and users to Immuta (groups added to the Okta Push Groups tab) is not supported. See the Okta troubleshooting guide for details.
The Okta directory cannot be synced with Immuta's internal IAM (BIM). You must configure an external IAM in Immuta to push users and groups from Okta to Immuta.
You should create a new Immuta IAM and a new Okta application for Immuta to set up the provisioning. An existing setup can cause discrepancies between the Okta directory and the app, leading to syncing failures.
When making a GET request for a user, there are extra attributes in the response.

Additional Tutorials

Add Users in Okta SCIM

Navigate to your application in Okta and click the Assignments tab.
Click Assign and then Assign to People.
Enter the name of the user you would like to add in the search field and click Assign.
Click Save and Go Back, and then click Done.

The user has been added to your application in Okta and displays as a user in Immuta under this external IAM.

Remove Users from Okta SCIM

Click the delete icon next to the user you want to remove.
When prompted to make sure you want to delete this user, click OK.

This user is removed from your application in Okta and displays as disabled in Immuta under this external IAM.

Syncing Groups with Okta SCIM

Groups will automatically sync in Immuta for any users added to the SCIM application if

Push Groups in Okta is enabled
Sync Groups is enabled in Immuta

Add Users to Groups

In Okta, navigate to your application and click on the Assignments tab.
Click on the name of the user whose groups you want to update.
Click on the Groups tab.
To add a new group, start to type the name of an existing group in the search field, and when it displays, click Add.

This group has been added to the user in Okta. It will also automatically appear in Immuta for the same user.

Remove Users from Groups

In Okta, navigate to your application and click the Assignments tab.
Click the name of the user whose groups you want to update, and then navigate to the Groups tab.
Click the delete icon next to the group you want to remove for this user.

This group has been removed from the user in Okta, and it will automatically be removed from this user in Immuta.

Add Attributes to Users

In Okta, navigate to your application and click To App on the Provisioning tab.
Click the Go to Profile Editor button.
Click Add Attribute and fill in the following fields:
- Data type (defaults to string).
- Display name.
- Variable name.
- External namespace. This field has to be formatted using a special schema format (e.g., urn:ietf:params:scim:schemas:extension:enterprise:2.0:DEMOEXT). Copy this information; you will need it for Immuta configuration.
Click Save.

By default, the value for this attribute is empty. Follow the Adding Attribute Values section to add values.

Update the SCIM Attribute Schema in Immuta

In Immuta, navigate to the App Settings page and edit your SCIM configuration.
Scroll to the Attribute Schema section under Sync Attributes.
Click Add Attribute and complete the following fields:
- SCIM Schema: <found on the Okta SCIM attribute page (in the previous section)>
- IAM Immuta Attribute Prefix: this can be anything you want
Click Test Connection and then Test User.
Save your changes.

Add Attribute Values

After adding attributes to users and updating the SCIM Attribute Schema in Immuta,

In Okta, navigate to the Assignments tab for your application and click the edit icon next to the user you want to update attributes for.
Scroll to the attribute you created and add a value in the textbox.
Save your changes.

Now that this attribute has been added to the user in Okta, it will automatically appear in Immuta for the same user.

Sync External Usernames with Okta SCIM in Immuta

Syncing External Usernames

You must configure a SCIM application and enable sync attributes before syncing external usernames.

In Immuta, navigate to your Okta SCIM configuration on the App Settings page.
Under Sync attributes from SAML to Immuta, add an attribute for the field you would like to map to an external username.
Copy and paste the resulting attribute for the desired external username.
Click Test Connection and then Test User.
Save your changes.