MicroStrategy ONE

Configure OAuth Parameters Using Okta for Denodo

Configure Your Application in Okta

Create an Okta Application

  1. Log in to Okta.
  2. In the Navigation pane, under Applications, click Applications.
  3. Click Create App Integration.

  4. Choose the OIDC - OpenID Connect sign-in method and the Native Application application type.
  5. Click Next.
  6. Enter a name for the application integration, and choose the Refresh Token and Token Exchange grant types.
  7. Add your sign-in redirect URIs for your environment, for example, https://env-308750.customer.cloud.microstrategy.com/MicroStrategyLibrary/auth/oidc/login.
  8. Choose the Allow everyone in your organization to access controlled access.
  9. Click Save.

Create an API

  1. In the Navigation pane, under Security, click API.
  2. Click Add Authorization Server.
  3. Enter a name and audience and click Save.
  4. Navigate to the Scopes tab of your newly created API.

  5. Click Add Scope.

    The scope name should be the same as the role name in the database. Denodo scopes are the same name as roles. Once Denodo has the scopes of the token, it obtains roles with the same names and executes the request with the privileges granted to these roles.

  6. Click Create.

Create an Access Policy and Rule

  1. Navigate to the Access Policies tab of your newly created API.
  2. Click Add Policy.
  3. Enter a name and description. Optionally, customize Assign to.
  4. Click Create Policy.
  5. Click Add rule.
  6. Enter your preferred rule options and click Create rule.

  7. Click Actions and Edit.
  8. In Assign to, assign the rule to the application you created.
  9. Click Update Policy.

Integrate Denodo with Okta

For more information on enabling OAuth in Denodo, follow the instructions in the JWT section of Enabling OAuth Authentication.

  1. Open the Denodo Administration Tool and log in with an Administrator account.

  2. In the menu, click Administration and Server configuration.

  3. Click Server authentication and OAuth.

  4. Define the following values:

    • Select a validation mode: Select Use JWT.

    • Select the signing algorithm: Choose RS256.

    • Issuer: Use the value from your OpenID configuration. To find this value, use https://<okta_url>.okta.com/oauth2/<serverid>/.well-known/oauth-authorization-server.

    • JWKS URL: Use the value from your OpenID configuration. To find this value, use https://<okta_url>.okta.com/oauth2/<serverid>/.well-known/oauth-authorization-server.

    • Audience: Enter your Okta Authorization Server Audience value.

      To find this value in Okta, in the Navigation pane, under Security, click API, and copy the Authorization Server Audience value.

    • Scope field name: Type scp.

  5. Click OK.

  6. To create roles in Virtual DataPort and grant them the appropriate privileges, see Creating Roles.

    The role name is used in Add Scope in Okta.

Create Enterprise Security Objects

To create IAM objects, see Manage OAuth Enterprise Security with Identity and Access Management (IAM) Objects.

Client ID and Client Secret values can be found in Create an Okta Application.

OAuth URL and Token URL values can be found using the format, https://<okta_url>.okta.com/oauth2/<serverid>/.well-known/oauth-authorization-server.

Use the following format in Scope, openid email profile offline_access <scope created>, where <scope created> is the scope name from Create an API.