Comment on page
Okta SSO Support
Configuring TileDB Cloud Enterprise for SSO and user management
To enable SSO, you need to first create an Okta OpenID Connect integration for your installation.
In the Okta administrative dashboard, go to Applications and click Create App Integration. A dialog box will appear to initially set up the application.
The Okta “Create a new app integration” dialog.
Select the sign-in method OIDC - OpenID Connect, and the Web Application type, and click Next. You will be taken to the “New Web App Integration” screen.
Setting up TileDB on the New Web App Integration screen.
Give your application a name (and optionally a logo). Next to Grant type, check the Refresh Token box.
Add a Sign-in redirect URI. This should be the URL of your TileDB Cloud Console followed by
/auth/sso/callback/okta. For instance, if your console lives at
https://console.tiledb.example.com/, the redirect URI should be
https://console.tiledb.example.com/auth/sso/callback/okta. You may optionally add your console’s home page as a sign-out redirect URI, for example
https://console.tiledb.example.com/. Leave Trusted origins empty.
If you have multiple installations that will be using the same Okta instance for authentication, or you have another instance that you use for testing or deployment testing, you can add that installation’s URL as an additional sign-in redirect URI.
At the bottom of the page, decide which users in your Okta organization should have access to TileDB Cloud. Only those selected users will be able to log in. (If you are planning on using provisioning with SCIM, you should limit this to only the same users you provision to avoid account conflicts.) Click Save to create the integration.
The landing page for the newly-created organization.
Copy the values from this page into your TileDB configuration in
values.yaml. The Client ID and Client Secret go in the
tiledb-cloud-uisection, and the domain also goes in the
# Other sections and values are omitted for clarity.
After updating the config and redeploying, an Okta sign-in button will appear on your installation’s login page, and users will be able to authenticate to TileDB Cloud with their Okta credentials.
TileDB Cloud login page, featuring “Or login with your Okta account”.
Okta uses SCIM (System for Cross-domain Identity Management) to provision users into external applications. To handle automatic creation and management of users, you can configure Okta to connect to your TileDB Enterprise installation’s SCIM endpoints. (This is not available to TileDB Cloud SaaS users.)
The first step in the setup is to configure TileDB Cloud’s SCIM support. TileDB Cloud uses HTTP Basic authentication to protect its SCIM endpoints, and a password needs to be configured in the
# Other sections omitted.
With a SCIM password set, TileDB Cloud is now serving SCIM endpoints at the base path of
.../v1/scim/2.0/. For example, if your TileDB Cloud API server is located at
https://api.tiledb.example.com/, its SCIM endpoint is
Ordinarily, there will only be one password set. Multiple passwords are supported for seamless credential rotation:
- 1.Add a new password to the
SCIMPasswordslist, so it contains
['old password', 'new password']
- 2.Update the password in Okta's SCIM configuration to
- 3.Remove the old password from the
Once you’ve set
SCIMPasswordsand deployed your TileDB Cloud installation, the SCIM endpoints are available to Okta. You then need to configure your Okta installation to provision users and groups in TileDB Cloud as desired.
In the Okta administration panel, visit the Applications page and click Browse App Catalog. Search for “SCIM 2.0” and select the SCIM 2.0 Test App (Basic Auth). (There are several different SCIM integrations with different authentication types; ensure you select Basic.) Click Add Integration.
Setting the application name in the first step of adding a SCIM integration to Okta.
Give the application a memorable name. On the second page (Sign-On Options), leave all values at their default. Click Done. You will be taken to the newly-created integration.
At the newly-created integration, click the Provisioning tab, and click Configure API Integration (the only button in the tab). Check the Enable API integration box (once again the only visible UI element) and you will be greeted with the configuration for SCIM.
Setting up SCIM on the Okta app’s provisioning page
After you check that box, the SCIM configuration will appear.
- SCIM 2.0 Base Url: The URL to your TileDB installation’s SCIM endpoint. This is
/v1/scim/2.0/on your TileDB API server, as described earlier. The result should look like
- Username: This is always
- Password: The password you configured in the
SCIMPasswordssection of your TileDB Cloud configuration.
Click Test API Credentials and, if you entered in all the right values, you should see a message of success:
The message you see if your SCIM endpoint works correctly.
Click Save and you will be taken to a screen with settings for the integration.
The page you land on after successfully configuring provisioning.
On this page, click Edit and check Create Users, Update User Attributes, and Deactivate Users. (Sync Password is not currently supported.) Click Save (located below Sync Password) to enable provisioning.
After these steps, provisioning is enabled, but no users or groups are currently configured to be provisioned.
Now that provisioning is enabled, you need to set up users and groups to be provisioned into TileDB Cloud.
Under the Assignments tab of your SCIM integration, click Assign. You can then assign users or groups to be provisioned into TileDB Cloud.
The provisioning assignment menu in Okta.
The simplest thing to is to use Assign to Groups. When you select a group or groups, it will automatically provision all users from that group with accounts on TileDB Cloud. When new users are added to the group, they will also be provisioned with an account. Likewise, when users are removed from the group, their access to TileDB Cloud will be suspended. This works whether the group is manually or automatically managed.
Provisioning a group with access to TileDB Cloud.
This step only pushes the members of the groups into TileDB Cloud; it does not create the groups themselves. To create groups (represented as Organizations) in TileDB Cloud, you have to enable pushing groups.
The Push Groups page on the TileDB Enterprise documentation.
By visiting the Push Groups page and selecting the Push Groups button, you can select groups, either individually or using a search rule, to be created in TileDB Cloud.
Configuring push for a group searched by name.
After searching for a group by name, ordinarily you want to leave all the defaults as-is: Push group memberships immediately should be checked, and the Create Group push action should be selected. Click Save and your group will be pushed to TileDB Cloud as an organization.
Successfully-pushed groups visible in Okta.
The Push Status column is a menu where you can forcibly update the group (thoug this happens automatically) or disconnect the group from TileDB Cloud.
Group push options from the Push Status menu.