Hybrid Data Pipeline - External Authentication with Okta

Many organizations today utilize both 3^rd-party and custom authentication services to protect their data. While Progress strives to keep up with the latest authentication methods like OAuth2 and LDAP, we also would like to give our customers the freedom to choose their own authentication systems. This is especially true when organizations utilize custom in-house system. Luckily Hybrid Data Pipeline (from here on out referred to as HDP) has the ability to authenticate users using external authentication tools. Some examples of these tools include Google Authentication, Okta, and Ping Identity. Julien Mansier, our senior sales engineer, wrote this tutorial to show you how to easily authenticate HDP against Okta.

1. This tutorial assumes that you already have an instance of HDP running. It doesn’t matter if you are running it locally or remote in AWS (or any other cloud). For more information on how to set up HDP, please refer to the documentation:
2. Depending on your setup, you may need the ability to SSH/Telnet into the system running HDP.  This tutorial will not cover the specifics of how to do this, but we will give enough details so that IT/Sys Admins can do it for you.
3. You will need a trial/demo account of Okta (free). To start this process, please sign up for a free trial of Okta
   
4. Finally, you will need the ability to compile java and create jar files, but it can be done with any Java IDE or just with a command lineThis tutorial will use Eclipse IDE for this purpose, . All of the contents and sample code can be in github.

This section is focused on setting up HDP to work with external authentication so that you can authenticate HDP against any external system.

1. Place the faceAuth.jar file in the following location:
   
   
   <install_location>/Progress/DataDirect/Hybrid_Data_Pipeline/Hybrid_Server/ddcloud/keystore/plugins
2. Send a POST API request (using Postman or Curl) to https://<my_hdp_url>:8443/api/admin/auth/services with the following body below. This will create the Auth service
   {

    

   "id": 2,

    

   "name":"fakeAuth",

    

   "description":"An example authentication method that always authenticates.",

    

   "authTypeId":2,

    

   "authDefinition": {

    

   "className":"fakeAuth"

    

   }

    

   }
3. Send a GET API request to https://<my_hdp_url>:8443/api/admin/auth/services , which will show which authentication services are available. If the ‘fakeAuth’ service is returned, then it has been created. It should look something like this:
   {

    

       "authServices": [

    

           {

    

               "id": 1,

    

               "name": "Internal",

    

               "description": "The default internal authentication service."

    

           },

    

           {

    

               "id": 2,

    

               "name": "fakeAuth",

    

               "description": "An example authentication method that always authenticates."

    

           }

    

       ]

    

   }
4. Restart the HDP server using the stop.sh then start.sh scripts in the ‘ddcloud’ directory located where the server is installed.

    

5. The next step is to create a user who has the newly created ‘fakeAuth’ authentication service. Please note that you can also update a previously created user to use the new authentication method.

    

6. Send a POST API request (using Postman or Curl) to https://<my_hdp_url>:8443/api/admin/users with the following body below. This will create the user ‘testuser’. Do note that the username applies to the user internal to HDP. The username that gets passed to the external authentication service is ‘testuser_external’, which is what is set for authUserName for authServiceId = 3.
   {

    

       "userName": "testuser",

    

       "statusInfo": {

    

           "status": 1,

    

           "accountLocked": false

    

       },

    

       "passwordInfo": {

    

           "password": "TempPass18",

    

           "passwordStatus": 1,

    

           "passwordExpiration": "2020-01-01 00:00:00"

    

       },

    

       "permissions": {

    

           "roles": [

    

               2

    

           ]

    

       },

    

       "authenticationInfo": {

    

           "authUsers": [

    

               {

    

                   "authUserName": "testuser_external",

    

                   "authServiceId": 3

    

               },

    

               {

    

                   "authUserName": "testuser",

    

                   "authServiceId": 1

    

               }

    

           ]

    

       }

    

   }
7. If there are not errors in the response, then that user is created and ready to be used. For internal authentication, simply login with the user name ‘testuser’ and password ‘TempPass18’. To test the fakeAuth service, login with the username ‘testuser_external’ and type in whatever for the password (remember the fakeAuth always validates no matter what the password is).

The steps above were to just set the foundation of how to set up external authentication with HDP. In this example, the fakeAuth service always validates the user, which is not very helpful. Luckily, since we know the steps above already, configuring HDP to use Okta is simple. This is covered in the next section.

In this section, we will interface HDP to use Okta as an authentication tool. Many of the steps from the previous sectionwill be repeated with just slightly different information.: you must create a user in Okta with the username test.email@company.com OR you can use your own Okta username. If you use your own account, please replace the test email in the below steps with your own email.

1. Place the oktaAuth.jar file in the following location:
   <install_location>/Progress/DataDirect/Hybrid_Data_Pipeline/Hybrid_Server/ddcloud/keystore/plugins
2. Send a POST API request (using Postman or Curl) to https://<my_hdp_url>:8443/api/admin/auth/services with the following body below. This will create the Auth service. Note you must supply your own Okta URL and Okta API Token.
   {

    

   "id": 6,

    

   "name":"oktaAuth",

    

   "description":"Simple Authentication using Okta",

    

   "authTypeId":2,

    

   "authDefinition": {

    

   "className":"OktaAuth",

    

   "attributes":{

    

   "url":"https://your_own_instance.okta.com",

    

   "token":"ljhfdgliuhadflkgjhdfglhsdfkgljhdfg"

    

   }

    

   }

    

   }

    

3. Send a GET API request to https://<my_hdp_url>:8443/api/admin/auth/services , which will show which authentication services are available. If the ‘oktaAuth’ service is returned, then it has been created. It should look something like this:
   {

    

       "authServices": [

    

           {

    

               "id": 1,

    

               "name": "Internal",

    

               "description": "The default internal authentication service."

    

           },

    

           {

    

               "id": 3,

    

               "name": "fakeAuth",

    

               "description": "An example authentication method that always authenticates."

    

           },

    

           {

    

               "id": 6,

    

               "name": "oktaAuth",

    

               "description": "Simple Authentication using Okta"

    

           }

    

       ]

    

   }

    

4. Restart the HDP server using the stop.sh then start.sh scripts in the ‘ddcloud’ directory located where the server is installed.

    

5. The next step is to create a user who has the newly created ‘oktaAuth’ authentication service. Please not that you can also update a previously created user to use the new authentication method.

    

6. Send a POST API request (using Postman or Curl) to https://<my_hdp_url>:8443/api/admin/users with the following body below. This will create the user ‘oktauser’. Do note that the username applies to the user internal to HDP. The username that gets passed to the external authentication service is ‘test.email@company.com, which is what is set for authUserName for authServiceId = 6.
   {

    

       "userName": "oktauser",

    

       "statusInfo": {

    

           "status": 1,

    

           "accountLocked": false

    

       },

    

       "passwordInfo": {

    

           "password": "TempPass18",

    

           "passwordStatus": 1,

    

           "passwordExpiration": "2020-01-01 00:00:00"

    

       },

    

       "permissions": {

    

           "roles": [

    

               2

    

           ]

    

       },

    

       "authenticationInfo": {

    

           "authUsers": [

    

               {

    

                   "authUserName": "test.email@company.com",

    

                   "authServiceId": 6

    

               },

    

               {

    

                   "authUserName": "oktauser",

    

                   "authServiceId": 1

    

               }

    

           ]

    

       }

    

   }

    

7. If there are not errors in the response, then that user is created and ready to be used. For Okta Authentication, simply use the emailtest.email@company.com as the user. This correlates to the user created in Okta. You can type anything in for the password. Since we are authenticating with Okta, the password does not matter.