Multi-factor Auth for KNIME Server — Using Okta to modernise LDAP
Okta have built a successful company on making authentication easy, and recently their managed LDAP interface became generally available to all customers.
It was great timing for me, as I was helping out our Business Intelligence team deploying KNIME Server to our AWS environment. It’s the commercial complement to the open source KNIME Analytics Platform. In line with the analytics software industry’s undying love of Java, it runs on Apache TomEE.
LDAP is a supported method of authentication for KNIME server. Let’s face it, 99% of the time in an enterprise scenario, this involves pointing it at a Microsoft Active Directory domain controller.
An Okta customer can instead point it at their Okta LDAP interface. For example, if your Okta domain is your_org.okta.com, in your server.xml file you would define a Realm like this:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldaps://your_org.ldap.okta.com:636"
roleBase="ou=groups,dc=your_org,dc=okta,dc=com"
roleName="cn"
roleSearch="(uniqueMember={0})"
connectionName= "uid=adminuser,dc=your_org,dc=okta,dc=com"
connectionPassword="${LDAP_CONNECTION_PWD}"
userPattern="uid={0},dc=your_org,dc=okta,dc=com"
userBase="ou=users,dc=nib,dc=okta,dc=com"
allRolesMode="strictAuthOnly"
connectionTimeout="60000"/>The connection password is passed in as an environment variable using the CATALINA_OPTS section of setenv.sh. In our case, we retrieve this value from AWS SSM at boot time.
Importantly, I extended the LDAP connection timeout to 60 seconds, from the default of 5 seconds. This is because in the Multi Factor Auth(MFA) scenario, Okta waits for the MFA acknowledgement by the user, before responding to the LDAP request.
Finally, you have to tell KNIME which LDAP group the KNIME admins belong to. This is done in the knime-server.config file under the workflow repository directory.
com.knime.server.server_admin_groups=KNIME AdministratorsHere I am at the login screen:
When I click “Login”, my iPhone immediately buzzes me to approve the login in the Okta Verify app, while the browser waits:
Once I click Approve, I’m in!
Shout-outs to Luke Gibson (nib’s resident Okta guru) and Craig Cullum at Forest Grove Technology for helping out along the way with this deployment.
