Okta SCIM 2.0 Setup

This document describes how to configure an Okta account to SCIM 2.0 integration with Tabular.

Note   The Tabular SCIM 2.0 functionality can be used independently of using Okta as an Authentication provider.

On this page:

Create some credentials

In the Tabular app, you must create some credentials to be used with the integration.

Sign in to the Tabular app as a Security Administrator, then go into the Organization tab, and then into the My profile tab.

Scroll down to the My credentials section and add a new credential with the Create new credential button. We recommend you choose a separate credential for the integration. Choose a name to help you identify the purpose – for example Tabular/Okta SCIM2.

Make note of the credential string for later.

Configure Okta Application

Log in to your Okta admin console, then navigate to Applications > Applications. Browse the App Catalog and search for SCIM 2 Test Basic Auth.

Select SCIM 2.0 Test App (Basic Auth) and add the integration.

On the General settings page, you can (if you prefer) change the integration name. Then click Next.

On the Sign-On Options page, change Sign On Methods to Secure Web Authentication, and choose the method you prefer, for example “Administrator sets username, user sets password”.

Now click Done.

You should now be on the application integration page. Go to the Provisioning tab, then select Configure API Integration. Enable the API Integration, and fill out the details

For SCIM 2.0 Base URL - https://api.tabular.io/ws/v1/scim2/

For the username and password, these will be each of the two parts of the Tabular credentials you entered earlier. The parts are separated by a colon. Break them apart and enter them separately.

Try Test API Credentials, which should respond successfully. Then Save.

If you are not there, go to the Provisioning tab, then the To App settings. Edit the settings. Then, in the Provisioning to App section, enable the following:

  • Create Users
  • Update User Attributes
  • Deactivate Users

You can choose to customize the Attribute Mapping section if you need; Tabular recognizes only a few fields:

  • Username
  • Given Name
  • Family Name
  • Display Name
  • Email (Primary Email)

Save the settings.

Request configuration in Tabular

To complete SCIM 2.0 configuration, the email domain(s) of the primary emails of the accounts you would like to sync must be placed in the allow-list for your account. Currently, this must be done by Tabular support. Please contact a Tabular representative, or email support@tabular.io. Include

  • Your Tabular organization name
  • The desired email domain(s) to add to the allow-list

We will get back to you if we have any questions, and when the configuration is complete.

Test the integration

You should now be able to sync users and/or groups to Tabular. Okta provides many options to do this. But first, let’s test by pushing a single user. Go back to the Application integration. In the Assignments tab you can manually assign a user to the integration. Click Assign, then Assign Users. As the user is assigned, the account is pushed over to Tabular.

Verify the user has been created in Tabular. To do this, go to the Tabular app, then to the Members tab. You should see your Okta user there, generally within a few seconds.

Organizing your directory

There are many different ways to sync users and groups from Okta to Tabular. This is a sketch of a simple and flexible method of managing your Tabular users and groups.

Note   There is a difference in terminology between Okta and Tabular. What Okta calls Groups of users, Tabular calls Roles. For our purposes here, these are the same.

Function-based group organization

We recommend you create and manage Okta groups for each top level function you want provision access to Tabular resources. For example, you may have the following:

  • A group of Data Scientists with read-only access to many or all warehouses.
  • A group of Data Operations Engineers with read-write access to your warehouses.
  • A group of Data Application Engineers with read-write access only to your development warehouses.

For any similar organization we suggest you create separate Okta Groups for each population of users. After you do this you can easily push both groups and users to Tabular by setting up Group Assignments and Push Groups within Okta.

Group Assignments

In the integration test above, you assigned a single user to the application. You can do the same with groups. To do this, return to the Application integration. In the Assignments tab, assign a group to the integration. Click Assign, then Assign Groups. Then select a group to sync.

When this is configured it pushes users in each group to Tabular. New users are added to Tabular; existing users are linked. As users are subsequently added and removed they are added and removed to/from Tabular.

Assigning groups does not push/create the roles themselves in Tabular. You do this through Push Groups.

Push Groups

To configure Roles in Tabular from Okta Groups, use the Push Groups functionality. To do this, navigate to the Application integration, then to the Push Groups tab. Click Push Groups to add a group and find a group by name.

Once you select a group, Okta will respond with what it intends to do.

We suggest leaving Match result & push action as “Create Group”. Save the update. Okta should begin to sync the group and its users to Tabular. If you go back into the Tabular app, and go to the Roles tab, the Push Group should display with users assigned.

Odds and Ends

Management authority

Although the Tabular app does not prevent you from making changes to group assignments and users, we recommend you refrain from doing so for any entities that have been synced from Okta. SCIM is a one-way sync, so those changes never make their way back to Okta, and may even get overwritten in time.

Default Tabular Groups

You may notice that when you enable SCIM 2.0 integration, Okta may discover the existing groups in your organization and create placeholders for them in Okta. It is probably the safest to just leave those groups alone.