Starburst Documentation
Starburst Galaxy
  •  Get started
  •  Working with data
  •  Data engineering
  •  Developer tools
  •  Cluster administration
  •  Security and compliance
  •  Troubleshooting
  • Galaxy status
  •  Reference

    • starburst galaxy > security and compliance > manage galaxy access > manage sso integration > Okta SAML setup

    Okta SAML setup #

    Starburst Galaxy supports configuring Okta as a single sign-on (SSO) identity provider. There are two parts for full SSO participation, SAML and SCIM.

    Follow the steps on this page to configure SAML connectivity between Okta and Galaxy, then go through Okta SCIM setup to complete the process.

    Start on Starburst Galaxy #

    1. In Starburst Galaxy’s navigation menu, open Access > Single sign-on.

    2. Click Configure single sign-on.

        SSO configuration start

      If Starburst Galaxy is already configured with an SSO provider, you must delete it before you add a new one. However, first see Delete an SSO provider to understand the consequences of SSO deletion.

    3. Select Okta from the Select identity provider options.

        Select identity provider

    4. Take note of the strings in the next three fields, which are ready to copy into Okta. The labels above each field are the same wording as in Okta to help you identify the target location.

        SSO config values for Okta

    Copy SAML values to Okta #

    1. In a new browser window, open the admin console for your Okta account or open your normal Okta account and click Admin in the top pane.

    2. Click the menu and select Applications > Applications.

    3. In the Applications pane, click Create App Integration.

        Okta create app integration button

    4. In the next pane, select SAML 2.0 and click Next.

        Okta select SAML 2.0

    5. This opens the Create SAML Integration pane, which has three tabs.

      In the General Settings tab, provide a name for this app integration.

      Remember that the name you choose is visible to specified Okta users in their Okta dashboards. The obvious name to give this app integration is Starburst Galaxy.

      You can optionally upload a logo or image file to represent the app in the Okta dashboards of your users.

      When done, click Next.

    6. This opens the second tab, Configure SAML.

      In the SAML Settings > General section at the top, notice that the first three fields have the same label names as the Starburst Galaxy pane you have open in another window.

      Copy the URIs and token from each field in Starburst Galaxy to its matching field in Okta.

      Leave all other controls on this page in their default settings. Scroll down and click Next.

        Okta copy matching field values

    7. This opens the third tab, Feedback.

      You must select one of the two options on this tab, but providing feedback is optional. You can leave all fields blank, then click Finish.

    Copy SAML values to Galaxy #

    The last Finish click in Okta leaves you in the Sign On tab, Settings pane for your new app integration. The name you assigned is now visible at the top of the page.

    Copy information from this Okta pane back to Galaxy. There are two ways to copy the required information:

    Metadata URL option #

    Metadata URL is the easiest option to use because there is a single URL string to copy.

    • In Okta’s settings page for your app integration, select the Sign On tab.

    • Scroll down to the SAML Signing Certificates section, which shows a table with two rows for Types SHA-1 and SHA-2.

    • At the end of the SHA-2 row, click to drop down the Actions control.

        Okta Action drop-down

    • Select the View IdP metadata option.

      This opens a new browser tab showing the contents of an XML file. The XML display varies with browser type, but we are not concerned with the XML content, only with the URL of this web page.

    • In this new tab, go to the address bar and copy the entire URL.

    • In Starburst Galaxy, in the pane you left open, make sure the Metadata URL option is selected. Paste the copied URL into the field labeled Identity Provider metadata URL

    • Proceed to test the configuration.

    Manual entry option #

    Manual entry requires you to locate and copy three fields of information from Okta to Starburst Galaxy.

    • In Starburst Galaxy, in the pane you left open, make sure the Manual entry option is selected.

    • In the browser window holding Okta, in the settings page for your app integration, scroll down to the SAML Signing Certificate section.

    • To the right of this section, locate SAML Setup with a button labeled View SAML setup instructions. Click this button.

    • This opens a new browser tab titled How to Configure SAML 2.0 for your-app-name Application. This page has three fields. As before, notice that the labels for each field correspond exactly with the labels of the fields on the Manual entry pane.

    • Copy the three field values from Okta to Starburst Galaxy, field to matching field.

    • Proceed to test the configuration.

    Test configuration #

    1. In Galaxy, click Test configuration.

    2. If SAML communication between Okta and Starburst Galaxy is valid, you receive a green success message.

        Okta SAML configuration success

      If you receive a red failure message, go back through these steps to make sure there is not a typo or other error.

    3. When the test passes, click Configure single sign-on to complete the process.

        SAML configuration success, manual entry

    Proceed to SCIM configuration #

    Completion of SAML configuration in Starburst Galaxy leaves you at the beginning of the Provision SCIM stage where the following dialog appears.

      Okta provision SCIM dialog

    This marks a good stopping point if you need a break, but Okta is not yet configured to provide SSO authentication. You can click the No, do this later button or even log off, and your setup position is preserved. When you return, click Provision SCIM on this pane.

      Okta provision SCIM button

    See Okta SCIM setup for the final configuration steps.

    Configure Okta to send user attributes to Galaxy #

    To use user attributes with policy expressions, you need to configure your IdP to send those attributes to Galaxy:

    1. In Okta, navigate to your application, open the General tab, and under the SAML Settings section, click Edit.
    2. Click Next to navigate to the second tab, entitled Configure SAML. In this section, update the attributes statements. For more information, visit the Okta developer guide.
    3. Click Next, and then Finish the configuration change. At this time, new sessions are configured for your SSO provider to send each user’s attributes as statements to Galaxy

    Existing user sessions do not have updated attributes until the user’s session expires and they re-authenticate with your SSO provider. Similarly, if a user’s attribute statements are updated while that user has an existing session open, those attributes do not update until the user is re-authenticated via SSO.