Document toolboxDocument toolbox

Configuring SSO with Okta

This is a draft integration guide for Okta. Some steps may require further requirement. Any feedback is appreciated.

This page will explain how to enable Single Sign On (SSO) via Okta and use groups to manage roles in KADA. The authentication method used is Open ID connect (Oauth 2.0)

There are 5 keys steps to enable SSO.

  1. Add Okta as an OpenID Connect Identity Provider in K

  2. Add an OpenID Connection application in Okta (using the Keycloak redirect URL value from Step 1)

  3. Finalise Okta configuration in the Keycloak OpenID Connext Identity provider

  4. Create role groups in Okta

  5. Map role groups to K Keycloak

This function is restricted to K Administrators and Okta Administrators


Step 1. Add Okta as an OpenID Connect Identity Provider in K

  • Log into to your K platform instance ([customer].kada.ai)

  • Select Platform Settings in the side bar

  • In the pop-out side panel, under Administrations, click on Customisation

  • Under Platform Setup, toggle on Enable Single Sign On

  • Click on Configure Single Sign On

  • Select Identity Providers in the side panel and click Add Provider

  • Choose OpenIDConnect v1.0 from the drop down list

  • Complete the Alias field

    • The alias is part of the redirect URL and cannot have any characters that require url encoding eg spaces.

    • Copy this name if you plan to only allow SSO identities and disable local user logins.

  • Enter a Display Name - This is the name of the button that users will click on to access SSO

     

  • Copy the Redirect URL for use in the next step

  • Sync Mode - Select Force

Keep this page open while you finalise you obtain the missing details from OKTA to finalise the OpenID in Step 2.

In a new browser window continue to step 2


Step 2. Create a new application integration in Okta

  • Open a new window and log in to your company’s Okta account. Go to the Admin portal

  • Go to Applications in the sidebar. Select Applications. Click Create App Integration



  • Select Open IDConnect & Web Application. Click Next

     

  • Under General Settings fill in the below and click Save

    • App integration name: Enter K Data Catalog

    • Application Logo: Use the image below or request the K Logo file from support@kada.ai

       

    • Sign-in redirect URIs: Paste the redirect URL from Step 1 in the Login redirect URLs field

    • Controlled Access: select Skip group assignment for now

  • In the General Tab, copy the Client ID and Client Secret for use in Step 3




  • Go down to General Settings and click Edit. Go to the Login section and update the following. Click Save

    • Login initiated by: Either Okta or App

    • Application visibility: Display application icon to users

    • Login flow: Redirect to app to initiate login (OIDC Compliant)

    • Initiate login URI: Enter your K instance URL e.g. https://[customer].kada.ai

  • Go to Security in the sidebar. Select API. Click on the Authentication Server to be used for SSO

  • Copy the Metadata URI for use in Step 3


Step 3. Finalise Okta configuration in the Keycloak OpenID Connext Identity provider

  • Return to the Keycloak window from Step 1

  • Scroll to the bottom of the list and paste the Metadata URI that you copied in the previous step into the Import from URL and click Import

  • Some information will pre-populate from OKTA. Complete the missing information and click Save

    • Logout URL: Set this to your Okta login URL (e.g. https://abc123.okta.com/login/default) or any other URL

    • Client Authentication - Set to Client secret sent as basic auth

    • Client ID - Paste the Client ID saved from the previous step

    • Client Secret - Paste the Client Secret saved from the previous step

    • Default Scopes - Add openid email profile

       

    • Click Save

  • The Okta Log In option will now appear the next time you try to log in to KADA


Step 4. Create role Groups in Okta

To manage user access by roles, we need to create 5 new Groups in Okta and 5 new roles to align with the KADA role groups:

  • Go back to your company’s Okta account. Go to the Admin portal

  • Go to Directory in the sidebar. Select Groups

  • Click Add Group

  • Create 5 Groups and attach users based on the type of group they belong to:

     

Group Name

Description

Group Name

Description

KADA Administrator

A person responsible for managing the setup and configuration of the K platform.

KADA Business User

Anyone that is not a data worker (data analyst, scientist, engineer etc)

KADA Data User

A data worker (data analyst, scientist, engineer etc)

KADA Data Manager

Person(s) responsible for the oversight of the data platforms in your organisation

KADA Date Governance Manager

A person responsible for managing and governing the use, classification, description and access to data

  • Go to Applications in the sidebar. Select Applications. Click on the K Data Catalog application.

  • Go to Assignments tab and add the above groups to the application

 

  • Go to Security in the sidebar. Select API. Click on the Authentication Server that was used in Step 2

  • Go to the Claims tab. Click Add Claim. Fill in the following information and click Create

    • Name: add a unique name to identify the kada groups to be added to the Token

    • Include in token type: Select ID Token & Always

    • Value type: Select Groups

    • Filter: Select Starts with & KADA - this matches the groups created above

    • Include in: Select Any scope

       


Step 5: Map role groups to K Keycloak

We now need to link the groups you created in Step 4 to the roles in the K platform.

  • Log into to your K platform instance ([customer].kada.ai)

  • Select Platform Settings in the side bar

  • In the pop-out side panel, under Administration click on Customisation

  • Click on Configure Single Sign On

  • Go to Identity Providers

  • Select the newly created Identify Provider you created in Step 2 and click on the Mappers tab

     

    • You will need to create a mapping for each role. Click Create.

      • For each role

        • Set the mapper name: e.g. KADA Admin mapper

        • Set Mapper Type to Advanced Claim to Group

        • Add the claim name to the Key field.

        • Add Value from the table below. For the kada_admin_group_mapper the value is KADA Administrator (same as the Okta Group name)

        • Select the appropriate role for the group. See table below



Key

Value

Group

Key

Value

Group

Claim name above

KADA Administrator

kada_admin

Claim name above

KADA Business User

kada_business_user

Claim name above

KADA Data User

kada_user

Claim name above

KADA Data Manager

kada_data_manager

Claim name above

KADA Date Governance Manager

kada_data_gov_user

 

Check after each mapping is completed. It should look like the below

The SSO Setup is now completed.

You can now add users to the various Oktra groups as per your usual processes.


Other information

K uses Keycloak to manage SSO. If Keycloak application is running behind some proxy server then it won’t allow you to import this configuration.

To enable the configuration to be imported, set path for X.509 Client Certificate. Here is link to guide you through this from keycloak.

https://github.com/keycloak/keycloak-documentation/blob/master/server_admin/topics/authentication/x509.adoc