Okta LDAP Configuration
This guide explains how to configure Matillion ETL to use Okta LDAP integration for external authentication and authorization. Troubleshooting information will also be provided to allow you to manage parts of your external authentication needs.
Note
Begin by following the LDAP integration process to "LDAP Setup", then return to this document and follow Configuring Matillion ETL, below, to enter the external settings of the Okta LDAP integration for configuring your Matillion ETL instance.
Prerequisites
- You must create and enable the LDAP Interface in Okta. Make sure you have enabled the LDAP Interface by clicking the Add LDAP Interface button.
- If you are integrating Okta with the Azure Active Directory LDAP interface, you must make the following changes for the integration to work successfully:
User Object Class = organizationalperson
User Object Filter = (objectclass=organizationalperson)
Configuring Matillion ETL
Follow these steps in your Matillion ETL instance to authenticate with Okta:
- Click Admin → User Configuration in the top-right of your Matillion ETL instance.
- Select External from the Security Configuration drop-down menu at the top of the User Configuration dialog.
-
Provide details as follows:
- Connection Name: The name of a user to make the initial bind to the directory. This could be any AD user. For Active Directory, that will include a realm using the form "user@REALM":
uid=[user],dc=[orgname],dc=okta,dc=com
- Connection Password: The password for the user to make the initial bind to the directory.
Warning
We advise against using "special characters" in passwords. Any character above #128 in either of these lists may cause issues:
- Connection URL: The location of the directory server:
ldaps://[orgname].ldap.okta.com:636
- User Bases: The part of the directory tree to begin searching for users. Typically users are created in the Users Container/OU. Change this as appropriate if Matillion ETL users are held in a different container:
ou=users,dc=[orgname],dc=okta,dc=com
- User Search: The LDAP attribute to use for identifying user names:
(uid={0})
- Role Base: The part of the directory tree to begin searching for groups/roles. As with User Base above, change this appropriately if Matillion ETL user groups are in a different container to users:
ou=groups,dc=[orgname],dc=okta,dc=com
- Role Name: The name of the attribute containing the role name:
cn
- Role Search How to find all the roles for a user:
(uniqueMember={0})
- METL Access: The role to gain access to the Matillion ETL application:
Emerald
- METL Server Admin: The role to gain access to the Matillion ETL administration page. This may be different from the METL Access role name:
Emerald Admin
- METL Global Project Admin: This role allows a user to access every project:
Emerald Project Admin
- API: The role to gain access to the Matillion ETL API. This may be different from the METL Access role name:
Emerald API
The placeholders
[user]
and[orgname]
in the above examples must be replaced with your own values. Yourorgname
is the part of your Okta sign-in URL that identifies your organization, for example:https://org-name.okta.com
, where org-name is typically the name of your company or organization. - Connection Name: The name of a user to make the initial bind to the directory. This could be any AD user. For Active Directory, that will include a realm using the form "user@REALM":
-
Use the default values in the METL Access, METL Server Admin, METL Global Project Admin, and API drop-down menus, or select your own.
- Select the Role Subtree and User Subtree options. For information on testing your login credentials, see Troubleshooting, below.
- Click OK.
- Restart Tomcat.
For information about how to log in to Matillion ETL, return to LDAP Integration and follow the instructions under Log in to Matillion ETL to complete the process.
Troubleshooting
- Currently, you are unable to test the authorization of your Okta LDAP login credentials.
- User groups imported into Okta will not be available from the LDAP Interface. You have to create them manually.
- Use the following free query tool to see what groups are available via the LDAP Okta Interface: LDAP Admin tool.