MicroStrategy ONE

Integrate MicroStrategy with Okta OIDC Single Sign-On for Dremio

Starting in MicroStrategy ONE (December 2024), you can use the Dremio JDBC driver to implement OIDC Single Sign-On with Okta.

Prerequisites

To use a JSON Web Token (JWT) issued by an OpenID Connect (OIDC)-conformant authorization server to establish JDBC connections to Dremio, a Dremio JDBC driver is required but is not shipped with MicroStrategy. To utilize this functionality, download the latest version of the Dremio JDBC driver and add it under the %MicroStrategyInstallationPath%\install\JDBC folder.

Configure Your Application in Okta

Create an Okta Application

  1. Log in to Okta.
  2. In the Navigation pane, under Applications, click Applications.
  3. Click Create App Integration.
  4. Choose the OIDC - OpenID Connect sign-in method and the Native Application application type.
  5. Click Next.
  6. Enter a name for the application integration, and choose the Refresh Token and Token Exchange grant types.
  7. Add your sign-in redirect URIs for your environment. For example, https://xxxxxx.customer.cloud.microstrategy.com/MicroStrategyLibrary/auth/oidc/login.
  8. Choose the Allow everyone in your organization to access controlled access.
  9. Click Save.

Create an API

  1. In the Navigation pane, under Security, click API.
  2. Click Add Authorization Server.
  3. Enter a name and audience and click Save.
  4. Go to SecurityAPI and note the Audience value. You will need this value when configuring the OpenID well-known URI for the authorization server.

    The well-known URI should follow the following format: https://<organization>.okta..com/oauth2/<unique_id>/.well-known/oauth-authorization-server.

  5. Open the URL in a browser and note the following parameter values:

    • Issuer

    • Authorization endpoint

    • JWKS URI

    • Token endpoint

Create an Access Policy and Rule

  1. Navigate to the Access Policies tab of your newly created API.
  2. Click Add Policy.
  3. Enter a name and description. Optionally customize Assign to to the Dremio client that you created in the previous step.
  4. Click Create Policy.
  5. Click Add rule.
  6. Enter your preferred rule options and click Create rule.

Integrate Dremio with Okta

For more information on enabling OAuth in Dremio, see External Token Providers.

  1. Log in to the Dremio cloud console and go to Organization Settings.

  2. In the left pane, choose External Token Providers.

  3. Click Add Provider and type the following IdP details:

    • Name: A unique name for the External Provider.

    • Audience: The claim that identifies the recipient of the JSON Web Token. Copy the value from the Metadata URI in previous steps.

    • User Claim Mapping: The claim that corresponds to the username in Dremio. You can use sub.

    • Issuer URL: The claim that identifies the principals issued to the JSON Web Token. Copy the value from the Metadata URI in the previous steps.

    • JWKS URL: Optional. The URL where the signing key set for the JSON Web Token is located. Copy the value from the Metadata URI in the previous steps.

    See the following example token generated by Okta:

  4. Create a Dremio user to map in Okta.

MicroStrategy Configuration

Create a Data Source Using OIDC Single Sign-On Authentication Mode

  1. Open the Workstation window.

  2. Connect to an environment.

  3. Create an IAM object using Manage OAuth Enterprise Security with Identity and Access Management (IAM) Objects:

    • In Select an identity provider, choose Okta.

    • Copy and paste your MicroStrategy application configuration fields, including Client ID and Client Secret.

    • In Scope, enter openid email profile offline_access.

  4. In the Navigation pane, click , next to Data Sources.
  5. Choose Dremio.
  6. Expand the Default Database Connection drop-down list and click Add New Database Connection.

  7. Type a Name.
  8. Expand the Driver drop-down list and choose the com.dremio.jdbc.Driver driver that you manually installed in Prerequisites.

  9. Type a HostName.
  10. Expand the Authentication Mode drop-down list in the Basic tab, choose OIDC Single Sign-On.
  11. Expand the Authentication Service drop-down list and choose the IAM objects you created above or to create a new IAM object, click Add New Authentication Service.
  12. Click Save.
  13. In the Add Data Source dialog, type a Name and Database Version, and optionally choose Projects for further data manipulation.
  14. Click Save.

Create and Map Users to Okta

  1. Open the Workstation window.

  2. Connect to an environment.

  3. In the Navigation pane, click Users and Groups.

  4. Click next to All Users.

  5. Type a Full Name, Email Address, Username, and other optional fields.
  6. In the left pane, click Privileges and select the checkbox next to the following privileges:
    • Access data from Databases, Google BigQuery, Big Data, OLAP, BI tools
    • Create and edit database instances and connections
    • Create and edit database logins
    • Create configuration objects
    • Create dataset in Workstation
    • Configure project data source
    • Monitor Database Connections
    • Use Workstation
  7. In the left pane, click Authentication.
  8. In Trusted Authentication Request User ID, type the Okta user's email address.

  9. Click Save.

Configure OIDC

For more information, see Enable OIDC Authentication for MicroStrategy Library.

  1. Open Workstation and connect to your environment using standard authentication and administrator credentials.

  2. Right-click your connected environment and choose Configure OIDC under Configure Enterprise Security.

  3. In Step 2: Select an identity provider, choose Okta from the drop-down list.

  4. In Step 3: Okta Configuration, copy the MicroStrategy Library URI and Workstation URI into the mobile and desktop application's sign-in redirect URIs in the Okta application you created in Create an Okta Application.

  5. Copy the Client ID into the mobile and desktop application's sign-in redirect URIs in the Okta application you created in Create an Okta Application

  6. In Issuer, use the value from Okta. To find the value, use https://<okta_url>.okta.com/oauth2/<serverid>/.well-known/oauth-authorization-server.

  7. Restart the web server.

Single Sign-On with OIDC

  1. Open the Workstation window.

  2. Connect to an environment.

  3. Right-click the environment and choose Environment under Edit.

  4. Select Default OIDC and click Continue.

  5. A browser displays. Log in using your Okta credentials.

  6. Use a MicroStrategy Administrator account to assign privileges to the new user.

    You do not need to perform this step if you mapped a MicroStrategy user to an Okta account and granted privileges.

  7. In the Navigation pane, click next to Datasets.

  8. Choose a Project and select Data Import Cube.

  9. Click OK.

  10. Choose the data source you created.

    The namespaces and tables display.