Okta is an identity and access management platform that enables secure Single Sign-On (SSO). Integrating Okta with Firebolt allows users to login using their existing credentials, simplifying access while maintaining security. This setup helps you and your team centralize authentication and manage user access. To integrate Okta with Firebolt’s platform, you need to configure your Okta application for Firebolt and Firebolt’s SSO for Okta. Detailed instructions can be found in the following sections:

Configure Okta application

  1. In the Okta Admin Console, select Applications from the left navigation panel.
  2. Select Applications again.
  3. Select Create a new app integration.
  4. Select SAML 2.0 as the sign-in method and choose Next.
  5. Fill out General Settings and navigate to the next section Configure SAML.
  6. Complete the following fields:
    • Single sign-on URL. This URL has the following format https://id.app.firebolt.io/login/callback?connection=<org_name>-<provider>&organization=<organization_identifier>
      • <org_name> represents the organization name used to create your Firebolt Account. This org name is referenced in your vanity URL.
      • <provider> represents the provider we’re configuring as our IdP.
      • <organization_identifier> - the unique identifier for your organization in Firebolt. To retrieve your <organization_identifier>, do the following:
        1. Login to the Firebolt Workspace.
        2. Select the Configure icon (The Firebolt Configure Space icon.).
        3. Select SSO from the left navigation pane.
        4. Select Copy organization SSO identifier.
      Example: https://id.app.firebolt.io/login/callback?connection=vsko-okta&organization=org_82u3nzTNQPA8RyoM
    • Audience URI (SP Entity ID). This URI has the following format: urn:auth0:<tenant_name>:<org_name>-<provider>, where <tenant_name> is app-firebolt-v2, <org_name> is the name of organization provider and <provider> is the provider value set in Firebolt configuration step.
    Example: urn:auth0:app-firebolt-v2:vsko-okta
  7. Save the configuration.
  8. Open the Sign On tab of your created app integration, and select the SAML 2.0 tab. Select More details to expand additional information.
  9. Copy or note down the value for Sign on URL and Issuer.
  10. Download the Signing Certificate.

Configure Firebolt to integrate with Okta

Once your Identity Provider(IdP) is configured, you can now configure Firebolt to integrate with Okta either using SQL scripts in the Develop Space or through the user interface (UI) in the Configure Space.

Configure Firebolt to integrate with Okta using the UI

  1. Login to the Firebolt Workspace.
  2. Select the Configure icon (The Firebolt Configure Space icon.).
  3. Select SSO from the left navigation pane.
  4. Under Configure SSO for your organization, enter the following:
    1. Sign-on URL - Enter the sign-on URL, provided by the SAML identity provider, where Firebolt will send SAML requests. The URL is specific to the IdP and is defined during configuration. For Okta, this value corresponds to the Sign on URL value copied in Step 6.
    2. Issuer - A unique value generated by the SAML identity provider specifying the issuer value. The issuer corresponds to the Issuer value noted in Step 9.
    3. Provider - The provider’s name, Okta.
    4. Label: The label to use for the SSO login button. You can use any label name. If the label is not provided, Firebolt uses the value in the Provider field.
    5. (Optional) Sign-out URL - An endpoint provided by Okta that facilitates the logout process by redirecting the user to this URL, ending their session.
    6. Signing certificate - A digital certificate used to verify the authenticity of a signature used to communication between Okta and Firebolt. The certificate needs to be in PEM or CER format, and can be uploaded from your computer by selecting Import certificate or entered in the text box under Signing certificate.
    7. Field mapping - A mapping used to match user attributes between Okta and Firebolt. Enter the First name and Last name in your Okta profile. Mapping is only required the first time a user logs in using SSO.
    8. Select Update changes.

Configure Firebolt to integrate with Okta using SQL

Login to Firebolt’s Workspace. Then, do the following:
  1. Select the Develop icon (</>).
  2. By default, when you login to Firebolt’s Workspace for the first time, Firebolt creates a tab in the Develop Space called Script 1. The following apply:
  • The database that Script 1 will run using is located directly below the tab name. If you want to change the database, select another database from the drop-down list.
  • An engine must be running to process the script in a selected tab. The name and status of the engine that Script 1 uses for computation is located to the right of the current selected database.
Select system from the drop-down arrow next to the engine name. The system engine is always running, and you can use it to create a service account. You can also use an engine that you create.
  1. Use the syntax in the following example code to create an SSO connection in the SQL Script Editor:
ALTER ORGANIZATION vsko SET SSO = '{
  "signOnUrl": "https://dev-1234567890123456.us.okta.com/samlp/123456789012345678901234567890123",
  "signoutURL": "http://your-sign-out-URL",
  "issuer": "okta",
  "provider": "okta",
  "label": "Okta Company IdP",
  "fieldMapping": {
    "given_name": "name",
    "family_name": "surname"
  },
  "certificate": "<certificate>"
}';
In the previous code example, the following apply:
  • signOnUrl- The sign-on URL, provided by the SAML identity provider, where Firebolt will send SAML requests. The URL is specific to the IdP and is defined during configuration. For Okta, this value corresponds to the Sign on URL value copied in Step 9.
  • (Optional)signoutUrl- An endpoint provided by Okta that facilitates the logout process by redirecting the user to this URL, ending their session.
  • issuer - A unique value generated by the SAML identity provider specifying the issuer value. The issuer corresponds to the Issuer value noted in Step 9.
  • provider - The provider’s name, Okta.
  • label - The label to use for the SSO login button. You can use any label name. If the label is not provided, Firebolt uses the value in the Provider field.
  • certificate - A digital certificate used to verify the authenticity of a signature used to communication between Okta and Firebolt. The certificate must be in Privacy Enhanced Mail (PEM) or CER format.
  • field mapping - A mapping used to match user attributes between Okta and Firebolt. Enter the first name and surname in your Okta profile. Mapping is only required the first time a user logs in using SSO.