Integrating MarkLogic with Okta identity management and Microsoft Windows Active Directory using the Okta AD Agent
25 April 2018 08:51 AM
|
|
IntroductionOkta provides secure identity management and single sign-on to any application, whether in the cloud, on-premises or on a mobile device. The following procedure describes the procedure required to integrate MarkLogic with Okta identity management and Microsoft Windows Active Directory using the Okta AD Agent. This document assumes that the users accessing MarkLogic are defined in the Windows Active Directory only and do not currently have Okta User Profiles defined. Authentication FlowThe authentication flow in this scenario will be as follows:
Requirements• MarkLogic Server version 8 or 9 For the purpose of this document the following Active Directory user entry will be used as an example:
Notes
Step 1. Create a MarkLogic External Security definitionAn External Security definition is required to authenticate and authorize Okta users against a Microsoft Windows Active Directory server. Full details on configuring an external security definition can be found at: https://docs.marklogic.com/8.0/guide/security/external-auth You should ensure that both “authentication” and “authorization” are set to “ldap”, for details on the remaining settings you should consult your Active Directory administrator. Step 2. Assign Active Directory group membership to MarkLogic RolesIn order to assign the correct Roles and Permission to Okta users, you will need to map Active Directory memberOf attributes to MarkLogic rolls. In my example Active Directory user entry martin.warnes belongs to the following Group: memberOf: CN=mladmins,CN=Users,DC=marklogic,DC=local To ensure that all members of this Group are assigned MarkLogic Admin roles you simply need to add the memberOf attribute value as an external name in the admin role as below: Step 3. Configure the MarkLogic AppServerFor each App Server that you wish to integrate with Okta, you will need to set the “authentication” to “basic” and select the “external security” definition. As HTTP Basic Authentication is considered insecure it is highly recommended that you secure the AppServer connection using HTTPS by configuring and selecting Further details on configuring SSL for AppServers can be found at: https://docs.marklogic.com/8.0/guide/admin/SSL Step 4. Install and Configure Okta AD IntegrationIn order for Okta to authenticate your Active Directory users, you will first need to download and install the Okta AD Agent using the following instructions supplied by Okta Once installed your Okta Administrator will be able to complete the AD Agent configuration to select which AD users to import into Okta. Step 5. Create Okta MarkLogic applicationFrom the Okta Administrator select “Add Application”, search for the Basic Authentication template and click “Add”
On the “General Settings” tab, enter the MarkLogic AppServer URL, ensure to use HTTP or HTTPS depending on whether you have chosen to secure the listening port using TLS. Check the “Browser plugin auto-submit” option. On the Sign-On options panel select “Administrator sets username, password is the same as user’s Okta password” For “Application username format” select “AD SAM Account name” from the drop-down selection.
Once the Okta application is created you should assign the users permitted to access the application
When assigning a user, you will be prompted to check the AD Credentials, at this point you should just check that Okta has selected the correct "sAMAccountName" value, the password will not be modifiable. Repeat Step 5. for each AppServer you wish to access via the Okta SSO portal. Step 6. Sign-on to Okta SSO PortalAll assigned MarkLogic applications should be shown: Selecting one of the MarkLogic applications should automatically log you in using your AD Credentials stored within Okta. Additional Reading | |
|