Configure Okta
The following procedure configures Okta for integration with Vertica and requires administrator privileges. For details, see Configuring OAuth authentication.
The goals of this procedure are to configure Okta and obtain the following information:
- Client ID: The ID used to identify the Vertica database. This is generated by Okta.
- Client secret: An Okta-generated string used to refresh the OAuth token when it expires.
- Token endpoint: Used by the client to retrieve the OAuth token.
- Introspection endpoint: Used by Vertica to validate the OAuth token.
These values are used to create the oauth
authentication record in Vertica and act as instructions for Vertica to communicate with Okta when a user attempts to authenticate.
Create an OIDC application
- From the Okta dashboard, go to Applications > Applications and select Create App Integration. The Create a new app integration dialog box appears.
- For the Sign-in method, select OIDC - OpenID Connect. The Application type section appears.
- For the Application type, select Native Application.
- Select Next. The New Native App Integration window opens.
- In the App integration name, enter a name for your application. This example uses Demo_Vertica.
- For the Grant Type, select Authorization Code, Refresh Token, and Resource Owner Password.
- For Controlled access, select the option applicable to your organization. This example uses Allow everyone in your organization to access.
- Select Save to save your application.
Retrieve the client ID and client secret
- From the Okta dashboard, go to Applications > Applications and select the name of your OIDC application.
- In the General tab in the Client Credentials section, select Edit.
- For Client authentication, select Client secret and select Save. This generates a new client secret.
- Copy the client ID and client secret.
Set the authentication policy
- From the Okta dashboard, go to Applications > Applications and select the name of your OIDC application.
- In the Sign On tab in the User authentication section, select Edit.
- Select Password only.
- Select Save to save the new policy.
Retrieve Okta endpoints
- From the Okta dashboard, go to Security > API.
- In the Authorization Servers tab, select the name of your authorization server. By default, the name of this server is default.
- Select the Metadata URI to get a list of all endpoints for your authorization server as a
json
string. - Copy the values for the token_endpoint and introspection_endpoint.
Test the configuration
-
Verify that you can retrieve an OAuth token from the token endpoint. If successful, Okta respond with an
access_token
andrefresh_token
:$ curl --insecure -d "client_id=client_id" -d "client_secret=client_secret" -d "username=okta_username" -d "password=okta_password" -d "grant_type=password" -d "scope=offline_access%20openid" token_endpoint
-
Verify that the tokens are valid with the introspection endpoint. If successful, Okta responds with a
json
string containing"active":true
:To verify the access token:
$ curl --insecure -d "client_id=client_id" -d "client_secret=client_secret" -d "token=access_token" introspection_endpoint
Similarly, to verify the refresh token:
$ curl --insecure -d "client_id=client_id" -d "client_secret=client_secret" -d "token=refresh_token" introspection_endpoint
The
access_token
andrefresh_token
can then be used for the oauthaccesstoken and oauthrefreshtoken parameters. For details, see JDBC connection properties and ODBC DSN connection properties.