https://datahubproject.io logo
Join Slack
Powered by
Hello, We’ve enabled okta integration to DataHub. ...
# ui
b
Hello, We’ve enabled okta integration to DataHub. I am looking for how the Okta user/Okta group/Policies work, basically mapping between Okta groups and Okta users. Let me know if anyone has docs related to this or any pointers. THanks!
b
Hi @billions-morning-53195!
So once you get Okta users onto DataHub you can begin to add them to DataHub Policies. For example you can assign particular groups to "Admin" Policies, metadata editor policies, viewer policies, etc. @echoing-airport-49548 Can actually speak more about this 🙂
b
Hi @big-carpet-38439, Thanks for the response! I was looking for answers/pointers around
Copy code
Will the Okta groups be populated into Datahub? Or Will the Okta groups that the Okta users are part of would be considered at all for authorization perspective?
Okta is used only as Authentication layer and authorization is completely handled by DatHub groups & DataHub policies?
Do we've to manually add newly created Okta users on DataHub to groups(with our own policies) which we have create separately on DataHub?
b
Copy code
Will the Okta groups be populated into Datahub? Or Will the Okta groups that the Okta users are part of would be considered at all for authorization perspective?
When a user logs in, their groups will be pulled and created in DataHub. This is called just-in-time provisioning. These groups will be considered for authorization, but the groups must have datahub privileges added to them.
Copy code
Okta is used only as Authentication layer and authorization is completely handled by DatHub groups & DataHub policies?
Correct!
Copy code
Do we've to manually add newly created Okta users on DataHub to groups(with our own policies) which we have create separately on DataHub?
No. Your users's group membership will come from Okta!
b
Awesome! Thanks for the quick response. I am not seeing the Okta equivalent groups/groups from okta being created on DataHub
b
Are you using OIDC? If yes, you may need to make sure Okta is configured to return the groups claim to DataHub!
If it is not, then DataHub cannot provision the groups 😞
b
Yep OIDC with Okta
b
b
Copy code
If yes, you may need to make sure Okta is configured to return the groups claim to DataHub!
Cool, looks like I have to check with my SSO team for this. Any config I need to pass to 
datahub-frontend
pod specifically to get the groups? I am passing 
groups
as an option in the list for 
AUTH_OICD_SCOPE
. Would this be enough for getting info about user’s groups?
Hi @big-carpet-38439, We see that groups from okta are getting created on Datahub now. However, we’re running into a different issue now. Once I get past Okta SSO, UI keeps reloading without displaying Datahub UI on the browser. We see these error constantly printed in 
datahub-frontend
pod logs-
Copy code
18:07:03 [application-akka.actor.default-dispatcher-5480] ERROR auth.sso.oidc.OidcCallbackLogic - Unable to renew the session. The session store may not support this feature
Please let me know when you get a chance. Thanks
b
Hi @billions-morning-53195 , how did you get the groups populated? Thanks!
4 Views
Open in Slack
PreviousNext
Powered by