IdP Configuration - Okta

SingleStore SCIM supports Okta with the SCIM 2.0 protocol and Okta custom application integrations. This applies only to Custom applications, not Okta Integration Network (OIN) applications. Refer to Create custom app integrations for more information on creating custom applications.

Prerequisites

  • RBAC authorization for the Organization Team feature.

  • RBAC user sync for the Engine RBAC at SingleStore database level.

Configure SCIM Provisioning

  1. On the Okta Portal, select General tab.

  2. Navigate to App Settings and select Edit.

  3. Select Provisioning > SCIM > Save.

  4. In the Provisioning tab, select Settings > Integration > Edit.

  5. Enter the endpoint URL from SingleStore SCIM configuration in SCIM connector base URL.

  6. Enter userName in Unique identifier field for users.

  7. Select the following in Supported provisioning actions:

    1. Push New Users

    2. Push Profile Updates

    3. Push Groups

  8. Select HTTP Header in Authentication Mode.

  9. Enter the secret token from SingleStore SCIM configuration in Authorization.

  10. Select Test Connector Configuration. Okta displays the test results.

    Displays the Test connector configuration results in Okta.
  11. Navigate to Provisioning > To App.

  12. Select Edit to enable the following:

    1. Create Users

    2. Update User Attributes

    3. Deactivate Users

Remarks

  • Okta separates provisioning into two categories:

    • Assignments for user information.

    • Push Groups for group information.

    To sync groups and memberships, add the group in Push Groups after assigning it in Assignments

  • When changing the SCIM endpoint in the same Okta app integration, SingleStore does not recommend deleting groups in the target application before removing them from Push Groups. Otherwise, Okta throws an error for updates to the SCIM endpoint instead of creating groups in the new (empty) SCIM endpoint..

  • If the SCIM endpoint is changed, reset or refresh the SCIM configuration in Okta.

  • The primary email is the unique identifier in SingleStore organization, changing it triggers an update to the user matched to the new primary email in Okta.

Last modified: December 16, 2024

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined
  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined
  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
    cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
    --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
    --bundle undefined \
    --new-bundle-format -
    Verified OK