Last Updated: 2024-01-26
Background
This tutorial will guide you through the process of configuring a Starburst Galaxy single sign-on (SSO) using Okta.
Identity Providers (IdP)
An Identity Provider (IdP) is a system or service responsible for managing and authenticating the identities of users within a network or system. In the context of identity and access management (IAM), an IdP verifies the identity of individuals and provides authentication services, often in the form of login credentials (such as usernames and passwords) or other authentication methods.
In many scenarios, an IdP is a central component of a single sign-on (SSO) system. When a user attempts to access a protected resource or service, the IdP verifies the user's identity and, if authentication is successful, issues a security token. This token is then used to grant the user access to various applications or services without the need to re-enter credentials for each service.
Starburst Galaxy supports and tests the following three IdPs:
- Okta
- Microsoft Entra ID
- Google Workspace
Starburst Galaxy also supports the use of a Custom IdP, provided it supports the Security Assertion Markup Language (SAML) protocol standard.
Systems for Cross-domain Identity Management (SCIM)
A System for Cross-domain Identity Management (SCIM) is a standard protocol used to automate the exchange of user identity information between identity domains.
You can use SCIM to replicate and sync users and groups from your IdP into Starburst Galaxy. The IdP can also push changes in user and group membership, including deletions, to a Starburst Galaxy account configured to receive that information. This ultimately allows an administrator to assign IdP users and/or groups to access control roles in Starburst Galaxy after they are synced into Starburst Galaxy. The process of assigning roles is a separate task and not part of the SSO or SCIM configuration.
Starburst Galaxy supports and tests System for Cross-domain Identity Management (SCIM) with the following two IdPs:
- Okta
- Microsoft Entra ID
Prerequisites
- You need a Starburst Galaxy account to complete this tutorial. Please see Starburst Galaxy: Getting started for instructions on setting up a free account.
- This tutorial requires an Okta Developer account. If you do not already have one, you can sign up for a free account here.
Learning outcomes
Upon successful completion of this tutorial, you will be able to:
- Configure SSO to Starburst Galaxy with Okta
- Provision SCIM in Starburst Galaxy
About Starburst tutorials
Starburst tutorials are designed to get you up and running quickly by providing bite-sized, hands-on educational resources. Each tutorial explores a single feature or topic through a series of guided, step-by-step instructions.
As you navigate through the tutorial you should follow along using your own Starburst Galaxy account. This will help consolidate the learning process by mixing theory and practice.
Background
Okta is a cloud-based identity and access management (IAM) platform. It provides both authentication and authorization services for individuals and organizations, enabling users to access various applications, services, and resources with a single set of credentials.
In this first part of the tutorial, you will begin by configuring Starburst Galaxy to enable a Single Sign-on (SSO) using Okta.
Step 1: Sign into Starburst Galaxy
Sign into Starburst Galaxy in the usual way. If you have not already set up an account, you can do that here.
Step 2: Open Access control menu in Starburst Galaxy
Now it's time to begin configuring a new single sign-on. SSO is considered a form of access control, and management of new SSO configurations is handled through the Access control menu.
- In the left-hand navigation menu, expand the Access control.
- Select Single sign-on.
- Click the Configure single sign-on button.
Step 3: Select your identity provider
Next, it's time to select an Identity provider. You will choose Okta as the identity provider.
- Select the radio button for Okta.
- Make note of the three fields and their copy buttons highlighted in the image below. They will allow you to copy information between Starburst Galaxy and the Okta dashboard.
- Open a new tab in your browser.
Note: Do not close the Starburst Galaxy web UI. You will need both tabs open to continue with this tutorial.
Step 4: Open Applications menu in Okta dashboard
Now it's time to open the Okta dashboard. You're going to copy information between Starburst Galaxy and Okta to configure the SSO.
- In your new browser tab, sign in to your Okta Developer account.
- In the left-hand navigation menu, expand the Applications field.
- Inside the field, select Applications.
Step 5: Create an App Integration
The Okta dashboard allows you to create App integrations to manage SSO. These can be configured to use SAML.
- In Okta, click the Create App Integration button.
- Select SAML 2.0.
- Click the Next button.
- Enter a meaningful App name.
- Click the Next button.
Step 6: Copy SAML settings from Starburst Galaxy to Okta
Next, you're going to copy the three SAML fields from Starburst Galaxy into the Okta dashboard.
- Copy the Single sign-on URL field from Starburst Galaxy, and paste it into the Single sign-on URL field in the Okta dashboard.
- Copy the Audience URI (SP Entity ID) field from Starburst Galaxy, and paste it into the Audience URI (SP Entity ID) field in the Okta dashboard.
- Copy the Default RelayState from Starburst Galaxy, and paste it into the Default RelayState field in the Okta dashboard.
Step 7: Finish the App Integration
You're almost done. Next, you just need to confirm the App integration to finish the process.
- In the Okta dashboard, scroll down and click the Next button.
- Select I'm an Okta customer adding an internal app.
- Click the Finish button.
Step 8: View the metadata for your Identity Provider (IdP)
At the end of the last step, the Okta dashboard will take you to the Sign-On tab for your App Integration.
Next, you'll need to add the URL for the IdP metadata to Starburst Galaxy.
- Staying on the Sign On tab, scroll down to the SAML Signing Certificates section.
- On the line for SHA-2, click the Actions drop-down menu.
- Click View IdP metadata.
Step 9: Copy IdP metadata URL from Okta
Now it's time to copy the IdP metadata from the Okta dashboard to Starburst Galaxy. To do this, you're going to use the URL of the Okta page that just opened in the previous step and copy it into Starburst Galaxy. The metadata displayed on the page will automatically be imported.
- Copy the Okta dashboard URL.
- The screen should resemble the image below.
Step 10: Add IdP metadata to Starburst Galaxy
Now it's time to paste the Okta URL into Starburst Galaxy. Remember that this will automatically import the IdP metadata.
- In the Starburst Galaxy Web UI, scroll down to the Configure Starburst Galaxy section of the Configure single sign-on step.
- Select Metadata URL.
- Paste the Identity Provider Metadata URL.
- Click the Test configuration button.
- Confirm that you see the Hooray! We have successfully validated the configuration message.
- Click the Configure single sign-on button.
- Click the Yes, setup SCIM button.
Background
After configuring a single sign-on in Starburst Galaxy, you should automatically be taken to the Provision SCIM page.
This is the next step in the process, and this tutorial will guide you through this stage. Just like last time, you'll want to keep two tabs open - one for Starburst Galaxy and the other for the Okta dashboard.
Step 1: Generate access token
To get started, you'll need to generate an access token.
Later in this tutorial, you'll copy this Starburst Galaxy access token into the Okta dashboard.
- Click the Generate access token button.
Note: Do not click Finish or refresh the browser tab. If you do, you will lose this token and need to start again.
Step 2: Enable SCIM provisioning in Okta
Now it's time to switch over to the Okta dashboard.
This time, you're going to add additional information to the Provisioning section. This will allow SCIM to be set up.
- In the Okta dashboard, scroll up in your App integration section and select the General tab.
- In the App Settings section, click the Edit button.
- Select Enable SCIM provisioning.
- Click the Save button.
Step 3: Select the Provisioning tab in Okta
You should now see a new Provisioning tab at the top of your screen. This will allow you to begin configuring SCIM.
- Select the Provisioning tab.
- Click the Edit button.
Step 4: Configure provisioning between Starburst Galaxy and Okta
You will need to switch between the Starburst Galaxy UI and the Okta dashboard in this step.
- Copy the Starburst Galaxy SCIM URL from the Starburst Galaxy Web UI, and paste it into the SCIM connector base URL box of the Okta dashboard.
- In the Okta Dashboard, enter "email" in the Unique identifier field for users field.
- In the Supported provisioning actions section, make the following selections.
- Select Import New Users and Profile Updates.
- Select Push New Users.
- Select Push Profile Updates.
- Select Push Groups.
- In the Supported provisioning actions section, deselect the Import Groups field.
Note: This is an important step. Do not skip it. - In the Authentication Mode drop-down menu, select HTTP Header.
- Copy the Starburst Galaxy access token from the Starburst Galaxy Web UI, and paste it into the Okta Dashboard in the box for Authorization.
- Click the Test Connector Configuration button in the Okta dashboard.
Step 5: Confirm the successful connection in Okta
Now it's time to confirm the connection. You'll need to return to Okta to complete this step.
- In Okta, confirm that you see the Connector configured successfully message. If you see this message, the test has been successful.
- Click the Close button.
- Click the Save button.
Step 6: Finish provisioning SCIM in Starburst Galaxy
Now it's time to switch back to Starburst Galaxy to finish the process of provisioning SCIM. This is a short step, but an important one.
- Return to the Starburst Galaxy tab.
- In the Provision SCIM section, click the Finish button.
Step 7: Edit provisioning to app in Okta
Next, switch back to the Provisioning tab in the Okta dashboard. This is the part of the dashboard that you were using before.
- In the Settings section, select To App.
- Click the Edit button.
- Enable the Create users, Update User Attributes, and Deactivate Users fields.
- Although it is not required, it is recommended to also Enable the Sync Password field.
- Select Sync a randomly generated password.
- Click the Save button.
Step 8: Assign yourself to the Okta admin user group
If you add a group to your cluster, everyone in that group will get an email informing them that they can sign in and set their password after you configure SCIM. You can use Okta to assign yourself to the admin user group.
In a real-world production environment this may be desirable, but for the purposes of this tutorial it is not necessary.
- In Okta, select the Assignments tab.
- Click the Assign drop-down menu.
- Select Assign to People.
- Locate the Okta Admin user that matches your current login and select Assign. Note: This step is necessary to test access from Okta.
- Scroll down.
- Click the Save and Go Back button.
- Repeat this process for any other users that you would like to assign.
- When you have finished assigning users, click the Done button.
Step 9: View the new Okta users in Starburst Galaxy
Now it's time to return to your Starburst Galaxy tab and view the new Okta user. SSO access is handled through the Access control menu in Starburst Galaxy.
- In Starburst Galaxy, expand the Access control menu.
- Select Users.
- Notice that the Okta Users you assigned to the Starburst Galaxy App Integration are now listed.
- Scroll down in the user list, and click the ellipsis on the right of your Okta login.
- Notice that the options for Change owner and Delete user are no longer available. This is because this user is now managed externally by your organization's identity provider.
Step 10: Test the single sign-on configuration
You're good to go! Now it's time to test the SSO process from beginning to end to make sure that everything is working.
To do this, you'll need to sign out of both systems so you can test the new SSO method of signing-on .
- Log out of both Okta and Starburst Galaxy.
- In Starburst Galaxy, click the Sign back in button.
- Select the Sign in with Okta button.
- You will be redirected to Okta.
- Sign in with your Okta username and password.
- You have now signed in to Starburst Galaxy using Okta SSO.
Background
If you would like to delete the SSO provider at any time, you may use these instructions.
Please consider the following before you delete your SSO provider.
- The user disabling SSO must have accountadmin privileges.
- The user disabling SSO should not be logged in via SSO at the time of deletion.
- The Starburst Galaxy cluster must have a non-SSO account configured, and you must know the login credentials for it.
- The user disabling SSO must be able to sign in to Starburst Galaxy with a non-SSO account and password and must be logged in with that account when deleting an SSO configuration.
- When you delete the SSO provider, any groups assigned to roles will be removed.
- All SSO users that do not have a direct Starburst Galaxy login account, along with their role assignments will also be deleted.
Step 1: Delete the SSO provider
It's time to delete your SSO provider. To do this, you're going to sign in with Starburst Galaxy using a local account.
Note: Do not use the Sign in with Okta SSO button.
- Sign in to Starburst Galaxy.
- Expand the Access control menu.
- Select Single sign-on.
- Click Delete single sign-on.
Step 2: Confirm deletion
Starburst Galaxy asks you to manually confirm the deletion. This prevents unwanted errors.
- Enter DELETE in the confirmation field.
- Click the Yes, delete button.
Tutorial complete
Congratulations! You have reached the end of this tutorial, and the end of this stage of your journey.
Now that you've completed this tutorial, you should have a better understanding of how to configure SSO for Starburst Galaxy with Okta.
Continuous learning
At Starburst, we believe in continuous learning. This tutorial provides the foundation for further training available on this platform, and you can return to it as many times as you like. Future tutorials will make use of the concepts used here.
Next steps
Starburst has lots of other tutorials to help you get up and running quickly. Each one breaks down an individual problem and guides you to a solution using a step-by-step approach to learning.
Tutorials available
Visit the Tutorials section to view the full list of tutorials and keep moving forward on your journey!
