Configuring Your Okta IdP Environment

Copy

• Copy for LLM

  Copy page as Markdown for LLMs
• View as Markdown

  Open this page as Markdown
• Open in ChatGPT

  Get insights from ChatGPT
• Open in Claude

  Get insights from Claude
• Connect to Cursor

  Install MCP server on Cursor
• Connect to VS Code

  Install MCP server on VS Code

In the IdP environment, you must add Treasure Data to your list of authorized applications. Each Treasure Data account is added as a separate application and users are assigned to the Treasure Data applications in Okta.

Continue to the following topics:

• Prerequisites
• Create a Treasure Data Application in Okta
• Configure Okta in TD Console
• Create a Treasure Data Bookmark Application in Okta
• Application Username in Okta and User Identifier in TD Console

Prerequisites

• SSO account name

• Okta Account

• Treasure Data Account

• URN resource

Create a Treasure Data Application in Okta

1. After a new SSO-configured account has been set up for you by your account representative, create and set up a new application in Okta.

When the TD account is configured with the sso-configuration-enabled feature flag and given an account_name for IdP, a unique URN is created. You’ll need both the account_name for IdP and the supplied URN to configure your Okta account.

2. Log into your Okta account as an Admin and select the Admin button.
   

3. Select Add Applications.
   Your screen might look like this depending on how you accessed your Okta account.

4. Select Create New App.
   Your screen might look like this.

5. Next, select the SAML 2.0 protocol, which is used by Treasure Data to exchange authentication and authorization identities between security domains.

6. Configure SAML by typing in your App Name and uploading a logo if desired.

7. Set App visibility options:
   Select: Do not display application icon to users
   Select: Do not display application icon in the Okta Mobile app

8. Select Next.

9. Configure SAML.

   • Use https://sso.treasuredata.com/login/callback as your Single Sign-On URL. Note this value does not change in any sites or regions.

   • Use the urn that was created when your TD account was configured

urn:treasuredata:sso:<SITE>:<ACCOUNT_NAME> as your Audience URI (SP Entity ID).

Where<SITE> is currently one of the following: aws, aws-tokyo, eu01, or ap02.

For example, urn:treasuredata:sso:eu01:ACCOUNT_NAME.

• Keep Default Relay State empty.
  

10. Select Next.

11. Select Directory and add or invite new user(s) by selecting Add Person.

12. Specify the name and email of the user you wish to invite.

13. Select Save.

14. Each invited user receives an email with the link to activate their account. You can view which invitations are active or still pending activation.

15. Next, select Okta users to assign to your Okta application.

16. Select Assign Applications.

17. Select Assign to add the user to the account.

18. After the user is added to Treasure Data as an Okta user, they are redirected to Okta and to present their Okta credentials for authentication. You can then harvest the configuration needed to configure the IdP for a Treasure Data account.

Select the app and select View Setup Instructions.

19. Configure the Treasure Data account for this Okta application by collecting either of the following options and installing Treasure Data.

• The Identity Provider Single Sign-On URL

• X.509 Certificate

20. To enter the information using a single metadata file, copy the IDP metadata into a file and use it to configure the TD account.

Configure Okta in TD Console

1. At this point, set up your configuration in TD Console.

2. Next, you can test your connection.
   Optionally, you can complete your work in Okta before working in TD Console.

3. To complete the configuration in Okta, proceed to the next step of creating a Bookmark Application in Okta.

Create a Treasure Data Bookmark Application in okta

Bookmark apps direct users to a specific web page using a small Okta icon or chiclet. The Bookmark App allows the user to sign in to the application directly—without providing sensitive credential information.

The following steps are based on instructions from the Okta help documentation.

1. Create and set up another application on Okta

   • Specify the App name. You can specify any bookmark name, such as Treasure Data SSO. The name you specify is viewable from the Okta dashboard.

   • Specify the SSO URL. The URL is https://YOUR_REGION_TD/users/initiate_sso?account_name=ACCOUNT_NAME. For example, if you use prod-aws, the URL would be:https://console.us01.treasuredata.com/users/initiate_sso?account_name=ACCOUNT_NAME.

You obtain the account name from your Treasure Data customer success representative.

2. Assign Okta users to your Okta application bookmark and test the connection.

Application Username in Okta and User Identifier in TD Console

Okta uses Okta username as a default Application username format. The Application username is used as the identifier in TD Console. In TD Console, the default identifier is user email.

1. You need to ensure that the identifiers in Treasure Data match the Application usernames in Okta.

2. Select Edit to specify the Application username format in Okta.

3. Next, you’ll need to open TD Console to verify the same identifiers match.

4. From TD Console, navigate to Control Panel > Users.

5. Select the name or the Profile icon of the user.

6. Select Details to specify a user’s unique identifier in TD Console.