Alteryx Designer Desktop Discussions

Alteryx 2023.1 release brings Okta authentication support, Single Sign-On (SSO), for SAP Hana. This update allows users to authenticate to SAP Hana Cloud with Okta accounts. In this post, we’re going to take a look at required Okta and SAP HANA Cloud configuration needed to enable this authentication mechanism.

To access SAP Hana data with Okta accounts, users need to have the following configuration in place:

• Have the latest version of SAP Hana ODBC, SAP Hana Client 2.0, driver installed on users' machines. The latest version can be downloaded from Alteryx Data sources page: Data Sources | Alteryx Help or SAP download page

• Have Okta account created within organisation’s Okta tenant;

• Have SAP user created within SAP Hana Cloud account with a role assigned and username matching Okta account username;

• Obtain authentication details required to setup a new connection between Alteryx Designer and SAP Hana Cloud instance;

Please note, the following example is intended for demonstration purposes only. We recommend engaging your systems team to help you with the configuration.

 

Configure OKTA

Setup and configure an OAuth2 application with Okta. We call it SAP/Okta for the purpose of this document.

1. Create new application and select OIDC - OpenID Connect option. For application type select Web application

 

 

2. In the application configuration - in “Grant type” section “Refresh token” must be checked. Specify redirect URI which must be http://localhost:<port>/ where you fill-in chosen port number. You can choose any port you wish to use. Please note the full redirect uri, you will need it later.

When creating application, you can also configure Assignments control - to control this, scroll down to assignments and select the assignment type you need.

 

3. Create a new Okta authorization server and assign application created in previous step to it.

a. Create new server by going to Security → Api tab on your left hand side

 

b. Configure “Audience” to the SAP HANA CLOUD. In this example, we use SAP instance uri as audience value.

 

c. Add scope by clicking scopes and set the scope value to any value you want.

!Note, the scope claims can be validated by your SAP Hana Cloud instance if needed. Please reach out to SAP Hana support team for details.

 

 

 d. Create Access Policy by going to Access policies tab;

 

e. In the Policy assign access to the application SAP/Okta

 

f. In the Policy configuration click “Add rule”

 

g. Do not change any rule parameters, just click “Create rule”

 

4. Create users in Okta directory and assign them to SAP/Okta application.

5. Update authorization server user claim to match username convention used in SAP HANA Cloud.  Obtain Okta authorization server JWK details and convert them into PEM format1. For public key conversion from JWK form to PEM format you can any package providing this functionality. Find and access JWK of the authorization server. JWK can be found at the following internal resource: https://tenant_id.okta.com/oauth2/authorization_server_id/v1/keys. 

Note, Okta SSWS token is required to access this endpoint. Your JWK shall adhere to this standard

 

        {
            "kty": "RSA",
            "alg": "RS256",
            "kid": "zV1iZXSKXOlWpucuO-2ngVK_qn_LimXxuwr8omLasa9bw",
            "use": "sig",
            "e": "AQAB",
            "n": "r0H-ak1gXEkxuELsYMhPufKmmOBhr3YAmb3Z6zQ7jrEpSjQq3BbJEZ1W3IVWmrHiRC7FoGtTXogMBTCiPsZVBd7YpfhWwl17N5ttT9Lx00gic2mBxEnxQTj2rl0BHjSw3t4A8R-1vK52HMjokRsmc0CUqy7eoDV-0w9pg48Kb2k4lpDb7f5bjjdOax9YocGtYiG7zvQhUvmjPpKxT4X2GwIZQn9DGyB9RTSg_2P4lD1O76rrN8OuMoJ5qKxZLkv9m8zfoIc-wydPfBe3oNBFJW4cRPRMqQR37_ViqpFk5k8ZebcwWnYFPJ4az4enr3ddtzzX7yy1ysJJxKjzQ"
        }

-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAr0HAfU+FP7k1gXEkxuELsYMhPufKmmOBhr3YAmb3Z6zQ7jrEpSjQ
q3BbJEZ1W3IVWmrHiRC7FoGtTXogMBTCiPsZVBd7YpfhWwl17N5ttT9Lx00gic2m
BxEnxQTj2rl0BHjSw3asdazzz+1vK52HMjokRsmc0CUqy7eoDV+0w9pg48Kb2k4lpD
b7f5bjjdOax9YocGtYiG7zvQhUvmjPpKxT4X2GwIZQn9DGyB9RTSg/2P4lD1O76r
rN8OuMoJ5qKxZLkv9m8zfoIc+wydPfBe3oNBFJW4cRPRMqQR37/ViqpFk5k8Zebc
wWnYFPJ4az4enr3ddtzzX7yy1ysJJxKjzQIDAQAB
-----END RSA PUBLIC KEY-----

• The issuer URI can be seen on Okta configuration page along with the Authorization server: In the left menu choose “Security” → “API” and when the selected tab is “Authorization servers” in the list of configured servers there is a column “Issuer URI”.
• As the JWT identity claim fill-in “sub“. You may also specify additional claims you want to validate if you have it configured in your Okta application. E.g. scope.
   

  

   

  3. Add a new public key, by navigation to public key store of your SAP HANA Cloud instance.

  

   

  4. Click import to import a new PEM key and paste your public key in PEM format, generated earlier.

  

   

  5. Now we are required to link the JWT provider with it’s public key by creating a new certificate collection. Navigate to certificate collections.

  

   

  6. Add collection → Provide a name at your will → select the public key we added in previous step → set purpose to JWT and select the Okta provider we created in step 1 of this section. Next, add the public key we created in step 4 to this collection.

  

   

  Finally, create a new user with JWT authentication enabled

  To create a user, go to User Management menu → create a new user and enable JWT authentication mechanism for the user. Next, click Add JWT Identity and select the Okta JWT provider we created earlier.

   

  Connect to SAP Hana Cloud with your Okta account

  Now that you have established trust between your SAP Hana Cloud instance and Okta, you can access SAP Hana data from Alteryx Designer using your Okta account. Add input or output tool, check “Use Data Connection Manager (DCM)” box and select SAP Hana from the list of available data sources in Alteryx Designer.Next, select Quick Connect option, provide your SAP Hana instance details.

   

  

   

  Create new credential and select Okta authentication method. Provide the following parameters:

  1. OAuth authority url - Okta authentication server uri;
  2. OAuth redirect port - the port we selected when registering a new Okta application;
  3. Client id - id of the Okta application we registered in previous step;
  4. Client secret - optional. Only provide if you created client secret for Okta application;

  

   

  Create new credential and select Okta. Provide descriptive name to the application and set the scope to the scope value you defined when configuring authorization server.

  

   

  After filling out above details and clicking connect, you will be redirected to Okta login page. You will be prompted to login with your Okta account, grant this application required permissions, and read your SAP Hana data.