LogoLogo
Start Trial
  • Overview
    • What is DeltaStream?
    • Core Concepts
      • Access Control
      • Region
      • SQL
      • Store
      • Database
      • Query
      • Visualizing Data Lineage
      • Function
  • Getting Started
    • Free Trial Quick Start
    • Starting with the Web App
    • Starting with the CLI
  • Tutorials
    • Managing Users and User Roles
      • Inviting Users to an Organization
      • Administering Users in your Organization
      • Using the CLI to Manage User Roles
      • Example: Setting Up Custom Roles for Production and Stage
    • Creating Stores for Streaming Data
    • Using Multiple Stores in Queries
    • Creating Relations to Structure Raw Data
    • Namespacing with Database and Schema
    • Creating and Querying Materialized Views
    • Creating a Function
    • Securing Your Connections to Data Stores
      • Introducing DeltaStream Private Links
      • Creating an AWS Private Link from DeltaStream to your Confluent Kafka Dedicated Cluster
      • Enabling Private Link Connectivity to Confluent Enterprise Cluster and Schema Registry
      • Creating a Private Link from DeltaStream to Amazon MSK
      • Creating a Private Link for RDS Databases
      • Deleting a Private Link
    • Integrations
      • Connecting to Confluent Cloud
      • Databricks
      • PostgreSQL
      • Snowflake
      • WarpStream
    • Serialization
      • Working with ProtoBuf Serialized Data and DeltaStream Descriptors
      • Working with Avro Serialized Data and Schema Registries
      • Configuring Deserialization Error Handling
  • Reference
    • Enterprise Security Integrations
      • Okta SAML Integration
      • Okta SCIM Integration
    • Metrics
      • Prometheus Integration
      • Built-In Metrics
      • Custom Metrics in Functions
    • SQL Syntax
      • Data Formats (Serialization)
        • Serializing with JSON
        • Serializing with Primitive Data Types
        • Serializing with Protobuf
      • Data Types
      • Identifiers and Keywords
      • Command
        • ACCEPT INVITATION
        • CAN I
        • COPY DESCRIPTOR_SOURCE
        • COPY FUNCTION_SOURCE
        • DESCRIBE ENTITY
        • DESCRIBE QUERY
        • DESCRIBE QUERY METRICS
        • DESCRIBE QUERY EVENTS
        • DESCRIBE QUERY STATE
        • DESCRIBE RELATION
        • DESCRIBE RELATION COLUMNS
        • DESCRIBE ROLE
        • DESCRIBE SECURITY INTEGRATION
        • DESCRIBE <statement>
        • DESCRIBE STORE
        • DESCRIBE USER
        • GENERATE COLUMNS
        • GENERATE TEMPLATE
        • GRANT OWNERSHIP
        • GRANT PRIVILEGES
        • GRANT ROLE
        • INVITE USER
        • LIST API_TOKENS
        • LIST DATABASES
        • LIST DESCRIPTORS
        • LIST DESCRIPTOR_SOURCES
        • LIST ENTITIES
        • LIST FUNCTIONS
        • LIST FUNCTION_SOURCES
        • LIST INVITATIONS
        • LIST METRICS INTEGRATIONS
        • LIST ORGANIZATIONS
        • LIST QUERIES
        • LIST REGIONS
        • LIST RELATIONS
        • LIST ROLES
        • LIST SCHEMAS
        • LIST SCHEMA_REGISTRIES
        • LIST SECRETS
        • LIST SECURITY INTEGRATIONS
        • LIST STORES
        • LIST USERS
        • PRINT ENTITY
        • REJECT INVITATION
        • REVOKE INVITATION
        • REVOKE PRIVILEGES
        • REVOKE ROLE
        • SET DEFAULT
        • USE
      • DDL
        • ALTER API_TOKEN
        • ALTER SECURITY INTEGRATION
        • CREATE API_TOKEN
        • CREATE CHANGELOG
        • CREATE DATABASE
        • CREATE DESCRIPTOR_SOURCE
        • CREATE ENTITY
        • CREATE FUNCTION_SOURCE
        • CREATE FUNCTION
        • CREATE INDEX
        • CREATE METRICS INTEGRATION
        • CREATE ORGANIZATION
        • CREATE ROLE
        • CREATE SCHEMA_REGISTRY
        • CREATE SCHEMA
        • CREATE SECRET
        • CREATE SECURITY INTEGRATION
        • CREATE STORE
        • CREATE STREAM
        • CREATE TABLE
        • DROP API_TOKEN
        • DROP CHANGELOG
        • DROP DATABASE
        • DROP DESCRIPTOR_SOURCE
        • DROP ENTITY
        • DROP FUNCTION_SOURCE
        • DROP FUNCTION
        • DROP METRICS INTEGRATION
        • DROP RELATION
        • DROP ROLE
        • DROP SCHEMA
        • DROP SCHEMA_REGISTRY
        • DROP SECRET
        • DROP SECURITY INTEGRATION
        • DROP STORE
        • DROP STREAM
        • DROP USER
        • UPDATE ENTITY
        • UPDATE SCHEMA_REGISTRY
        • UPDATE SECRET
        • UPDATE STORE
      • Query
        • APPLICATION
        • Change Data Capture (CDC)
        • CREATE CHANGELOG AS SELECT
        • CREATE STREAM AS SELECT
        • CREATE TABLE AS SELECT
        • Function
          • Built-in Functions
          • Row Metadata Functions
        • INSERT INTO
        • Materialized View
          • CREATE MATERIALIZED VIEW AS
          • SELECT (FROM MATERIALIZED VIEW)
        • Query Name and Version
        • Resume Query
        • RESTART QUERY
        • SELECT
          • FROM
          • JOIN
          • MATCH_RECOGNIZE
          • WITH (Common Table Expression)
        • TERMINATE QUERY
      • Sandbox
        • START SANDBOX
        • DESCRIBE SANDBOX
        • STOP SANDBOX
      • Row Key Definition
    • Rest API
Powered by GitBook
On this page
  • DeltaStream and Okta SCIM Concepts
  • SCIM Setup
  • Prerequisites
  • Enable SCIM Provisioning
  • Set up the DeltaStream OrgAdmin Attribute
  • Set up the DeltaStream OrgAdmin User Assignment Group
  • Set up the DeltaStream User Assignment Group
  • SCIM user provisioning
  • Assign a user to the OrgAdmin assignment group
  • Assign a user to the Users assignment group
  • Configure security integration
  • Configure Push groups
  • References
  1. Reference
  2. Enterprise Security Integrations

Okta SCIM Integration

PreviousOkta SAML IntegrationNextMetrics

Last updated 5 months ago

SCIM (System for Cross-domain Identity Management) is an open standard for automating the management of user and group membership.

This document walks you through setting up SCIM-based users and groups with Okta.

Find Okta's documentation for these steps at

DeltaStream and Okta SCIM Concepts

DeltaStream's SCIM integration automates adding/removing from your and leveraging Okta groups to grant access to DeltaStream .

There are two types of groups within Okta:

  1. Assignment groups manage . Users added to the assignment group are automatically added to DeltaStream but are not assigned any custom roles.

  2. Push Groups enable Okta to to DeltaStream. These groups are mapped to within DeltaStream.

You cannot use Push groups to control access to built-in roles. Instead, use a custom user attribute and a dedicated Assignment group to achieve orgadmin role membership.

Custom roles created using Push groups are not automatically granted any privileges. Privileges must be granted to the roles with MANAGE_GRANTS privilege (by default,,orgadmin or securityadmin).

Note You must add a user to an assignment group before adding them to a Push group.

SCIM Setup

Prerequisites

  • Set up Okta .

Enable SCIM Provisioning

This section describes how to enable SCIM provisioning on an app integration. Additional configuration will be added in subsequent sections.

  1. Click to activate the General tab, then click Edit for the App Settings.

  1. Select Enable SCIM provisioning and then click Save.

Set up the DeltaStream OrgAdmin Attribute

This section describes how to create a new custom attribute you use to specify who should have access to the OrgAdmin built-in role.

  1. In the lefthand navigation, go to Directory -> Profile Editor.

  2. Click DeltaStream Users.

  3. Click Add Attribute.

  1. Create a new boolean attribute with the following values:

Key
Value

Data type

boolean

Display name

DeltaStream OrgAdmin

Variable name

deltastreamOrgadmin

External name

deltastreamOrgadmin

External namespace

urn:ietf:params:scim:schemas:core:2.0:User

Set up the DeltaStream OrgAdmin User Assignment Group

This section describes how to create a new assignment group for OrgAdmins. Any users assigned to this group are granted the OrgAdmin role in DeltaStream.

  1. In the lefthand navigation go to Directory -> Groups and then click Add group.

  1. Name the group DeltaStream OrgAdmins and then click Save.

  1. Click the newly-created group to configure it.

  2. Click the Applications tab to activate it and then click Assign applications.

  1. Assign the DeltaStream application.

  1. Verify the DeltaStream OrgAdmin attribute is set to true. Then click Save and Go Back.

Set up the DeltaStream User Assignment Group

This section describes how to create a new assignment group for non-privileged users.

  1. In the lefthand navigation, go to Directory -> Groups and then click Add group.

  1. Name the group DeltaStream Users and click Save.

  1. Click the newly-created group to co nfigure it.

  2. Click the Applications tab to activate it, and then click Assign applications.

  1. Assign the DeltaStream application and then click Save.

SCIM user provisioning

Assign a user to the OrgAdmin assignment group

  1. In the lefthand navigation, go to Application -> Applications -> Deltastream.

    1. Click to activate the Assignments tab.

    2. Filter by Groups.

    3. Click the DeltaStream OrgAdmins group.

  1. Click Assign people and then select the individuals you wish to assign as OrgAdmins.

Note Ensure the person provided as the OrgAdmin for SAML application setup is also added to this group.

Assign a user to the Users assignment group

  1. From the lefthand navigation to Application -> Applications -> Deltastream.

    1. Click to activate the Assignments tab.

    2. Filter by Groups.

    3. Click the DeltaStream Users group.

  1. Click Assign people and select the individuals you wish to have access to DeltaStream.

Note Assigning users does not grant them any additional roles. Configure a Push group to assign roles.

Configure security integration

This section describes how to configure the SCIM integration URI and token so that Okta can push information to DeltaStream.

  1. Log into DeltaStream and create a new SCIM security integration using the CREATE SECURITY INTEGRATION command:

USE ROLE securityadmin;
CREATE SECURITY INTEGRATION "okta" WITH ( 'type' = SCIM, 'scim.client' = OKTA );

URI: https://api.deltastream.io/scim/v2
Token: eyJh...
  1. From the lefthand navigation go to the Applications menu and click the DeltaStream application:

  2. Click the Provisioning tab to activate it, then click edit:

  1. Copy the URI from the security integration setup in step 1 to the SCIM connector base URL.

  2. Enter email for Unique identifier field for users.

  3. Check the following checkboxes:

    1. Import New Users and Profile Updates

    2. Push New Users

    3. Push Profile Updates

    4. Push Groups.

    Finally, for Authentication Mode click HTTP Header. Then copy the token from the security integration setup in step (1) into the Authorization Bearer box. Click Save to complete the initial setup.

  1. Click the Provisioning tab to activate it, and in the Provisioning to App settings, click Edit.

  1. Check the corresponding checkboxes for Enable Create Users Update User Attributes and Deactivate Users.

  2. Click Save.

Configure Push groups

Before you begin, ensure that everyone who needs access to DeltaStream has been added either to the DeltaStream Users or the DeltaStream OrgAdmins assignment groups.

  1. From the lefthand navigation, go to Application -> Applications -> Deltastream.

  2. Click the Push Groups tab to activate it.

  3. Click + Push Groups to search for and select a group to push.

2. Click Find groups by name.

  1. Enter the name of the group you wish to push -- for example, development.

  2. Click Push group memberships immediately.

  3. Click Save.

This creates a role with the same name as the group in DeltaStream. Anyone who is part of the group is also assigned this role.

References

https://help.okta.com/en-us/content/topics/provisioning/lcm/con-okta-prov.htm
https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_scim.htm
https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_saml.htm
https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_scim.htm
access to Okta App Integrations
push existing Okta group memberships
SAML app integration
users
organization
roles
custom roles