Skip to main content

Configuring Okta For SSO

DataGrail supports two configurations for Okta SSO. You only need to choose one.

ConfigurationBest ForRoles Managed In
Standard ConfigurationMost customers.DataGrail
Group ProvisioningLarge organizations.Okta

Standard Configuration

This section documents the standard configuration for Okta as an identity provider to support log in to the DataGrail app. With this configuration, user roles must be managed within DataGrail.

Persons Needed to Complete Configuration: IT Person from your organization

  1. Sign in to Okta as an admin.

  2. Navigate to Applications in the left-hand menu and select Browse App Catalog to search for DataGrail.

  3. Select the Add Integration.

  4. Enter your DataGrail subdomain and select Done.

    Finding Your Subdomain

    <subdomain> should be replaced with the subdomain configured for your DataGrail account. For example, if you log in to DataGrail at yourcompanyname.datagrail.io, your subdomain is yourcompanyname.

    If you are unclear on what your subdomain would be, please confirm with your Account Manager or reach out to support@datagrail.io.

  5. When redirected back to the Applications Page, select the DataGrail Application and navigate to the Sign On tab.

  6. Scroll down to the SAML Signing Certificates section. You should see an active certificate that is automatically created.

  7. Select the Actions dropdown and View IdP Metadata (this should open in another tab).

  8. Copy the URL of the Identity Provider Metadata.

  9. Send the metadata URL to DataGrail at support@datagrail.io. We will complete the configuration.

Inviting New Users

Please visit Inviting New Users for more instructions on adding users and managing roles.

Group Provisioning

The Group Provisioning functionality is best for advanced users that would like to provision roles automatically based on group assignments within Okta. You cannot manage user roles within DataGrail using this configuration.

Persons Needed to Complete Configuration: IT Person from your organization

Creating the Okta App

The Group Provisioning configuration requires a custom Okta App. You cannot use the DataGrail app in the Okta catalog to complete this configuration.

  1. Sign in to Okta as an admin.

  2. Navigate to Applications in the left-hand menu and select Create App Integration and choose SAML 2.0.

    SAML Application Configuration
    • Single Sign On URL: https://<subdomain>.datagrail.io/saml/auth
    • Audience URI (SP Entity ID): https://<subdomain>.datagrail.io/saml/metadata

    <subdomain> should be replaced with the subdomain configured for your DataGrail account. For example, if you log in to DataGrail at yourcompanyname.datagrail.io, your subdomain is yourcompanyname.

    If you are unclear on what your subdomain would be, please confirm with your Account Manager or reach out to support@datagrail.io.

  3. Select next and create the application.

  4. When redirected back to the Applications Page, select the DataGrail Application and navigate to the Sign On tab.

  5. Scroll down to the SAML Signing Certificates section. You should see an active certificate that is automatically created.

  6. Select the Actions dropdown and View IdP Metadata (this should open in another tab).

  7. Copy the URL of the Identity Provider Metadata.

  8. Send the metadata URL to DataGrail at support@datagrail.io. We will complete the configuration.

Determining Group Mappings

In order to utilize the Group Mapping functionality, mappings between the Okta groups and DataGrail roles must be configured on the DataGrail side.

  1. Review DataGrail Roles and Permissions.
  2. Determine what DataGrail roles you want to map to your Okta groups. You can have multiple Okta groups map to the same DataGrail role.
  3. Once you have established your mappings, please send them support@datagrail.io to be configured.

Configuring Attribute Statements

Once DataGrail support confirms the mappings have been set, the attribute statements can now be configured within Okta:

  1. Navigate back to the Okta app you created in the first section and select the General tab.

  2. Select Edit in the SAML Settings section.

  3. Select Next to get to the Configure SAML tab. Scroll down to Group Attribute Statements.

  4. For each of the mappings you have defined, create a new attribute statement with the name roles and utilize the filters to associate this with the correct group.

    Okta Group Attribute Statements

  5. Additionally, scroll up to Attribute Statements and configure the following attribute statements:

    Attribute Statement Configuration

    First Name

    • Name: first_name
    • Value: user.firstName

    Last Name

    • Name: last_name
    • Value: user.lastName

    Email

    • Name: email
    • Value: user.email

  6. Select Next and save your changes.

Inviting New Users

For more information on adding users and managing roles, see Inviting New Users.

 

Need help?
If you have any questions, please reach out to your dedicated Account Manager or contact us at support@datagrail.io.

Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.