On-premises Connector for Generic Databases

Early Access release

The On-premises Connector for Generic Databases provides an out-of-the-box solution for connecting on-premises databases with the Okta Identity Governance platform. This connector uses the Okta Provisioning Agent (OPP) and Okta On-prem System for Cross-domain Identity Management (SCIM) server agent to manage users and entitlements in various database systems. This enhances security and simplifies governance by eliminating the need for custom integrations.

The integration with Okta enables core identity governance capabilities such as access request, access certification, user provisioning and de-provisioning, and segregation of duties (SoD) for your on-premises database environments.

This connector supports provisioning and entitlement management for Oracle, MySQL, PostgreSQL, and Microsoft SQL Server relational database management systems.

System requirements

To install the On-prem Connector for Generic Databases, ensure that your system meets the hardware and software requirements. See System requirements for On-premises Connector - Generic Databases.

Provisioning and entitlement features

This connector supports the following capabilities:

• Create users: Automatically creates a user in the on-premises database when the user is assigned to the app in Okta.
• Update users: Syncs any changes made to a user's profile in Okta to the database.
• Provision/de-provision users: Manages the active or inactive state of user accounts in the database.
• Manage entitlements: Assigns or removes user entitlements from the database through Okta.
• Import users and entitlements: Performs manual and scheduled imports of user and entitlement data from the database into Okta.

Before you begin

• Install the Okta Provisioning Agent
• Install the Okta On-prem SCIM Server
• Gather the following information to use a database account with the On-premises Connector:
  • Username for the database account
  • Password for the database account
  • Type of database
  • IP/Domain name
  • Port number
  • Name of the database

Download the JDK and JDBC Packages

• Download JDK version 21 from a trusted source and upload it to your Linux server.
• Download the required JDBC driver (for example, Oracle OJDBC) and upload it to your Linux server.

Enable the database connector features

1. In the Admin Console, go to SettingsFeatures.
2. In the Early access section, enable the following options:
   1. On-prem Connector for Generic Databases
   2. OPP Agent with SCIM 2.0 support

Configure the On-prem Connector for Generic Databases

After you've installed and configured the necessary components, you can configure the app in your Admin Console.

1. In the Admin Console, go to ApplicationsApplications.

2. Click Browse App Catalog.
3. Search for and select On-prem Connector for Generic Databases, and then click Add Integration.
4. Configure your general settings, and then click Next.
5. Configure your sign-on options, and then click Done.
6. Go to the General tab and click Edit in the Entitlement management section.
7. From the Entitlement management dropdown list, select Enabled.
8. Click Save. It may take a few moments for the feature to become enabled, after which you can refresh the page to view the Governance tab.
9. Go to the Provisioning tab. Click Enable provisioning.
10. Select the Okta Provisioning Agent that you installed, and click Next.
11. To connect the Okta Provisioning Agent and Okta On-prem SCIM Server, provide the required information:

    To get your API token and public key, execute the following command in your terminal: sudo /opt/OktaOnPremScimServer/bin/Get-OktaOnPremScimServer-Credentials.sh

    1. IP address: The IP address or fully qualified domain name of the server where the Okta On-prem SCIM Server Agent is installed.

    2. API token: The API bearer token that you generated when you installed the SCIM server.

    3. Public key: Upload the .crt certificate file that you downloaded from the server.

12. Click Next.
13. Enter your database connection details, and click Connect agents.
14. Define schema and import settings.
15. Define provisioning actions.
16. Map app attributes on the Provisioning page.

Define schema and import settings

1. Go to the Provisioning tab.
2. Under Settings, select Integration To Okta section. Click Edit next to Schema discovery & Import.
3. For Get Users, select Enabled.
4. Select SQL Statement or Stored Procedure.
5. Enter the query or the procedure and the user ID.
6. For Get All Entitlements, select Enabled.
7. Select SQL Statement or Stored Procedure.
8. Enter the query or procedure, the entitlement ID, and the entitlement display column.
9. Optional. Select Enable Single Entitlements per User if you want to enforce that each user can have only one entitlement assigned at a time.

   This setting is permanent. You can't change this value once entitlements have been discovered.

10. Click Save.

Define provisioning actions

1. Go to the To App section and click Edit.
2. Enable your desired provisioning options. For example: Create User, Update User, Deactivate User.
3. Provide the necessary SQL statements or stored procedures for each operation (for example: INSERT, UPDATE, DELETE).
4. Map the parameters in your SQL statements or stored procedures to the appropriate user attributes from Okta.
5. Click Save.