The Delphix Engine contains a lightweight component that manages communication with the Data Control Tower.  

Overview

The following diagram shows the sequence of operations for registration and continued communication with the Data Control Tower.

Connect Engine Request (user action)

  1. The User logs into Data Control Tower with DCT admin privileges.
  2. From the Infrastructure page clicks Connect Engine.
  3. Enters the engine details for Internet Protocol  or fully qualified domain name (IP or FQDN) and then:
    1. Data Control Tower generates a one-time code (OTC).
    2. OTC is set to expire in five minutes.
    3. User’s browser details are associated with the OTC.
  4. Data Control Tower opens a new tab redirecting the user to the engine login page.

Engine Log In (user action)

  1. The Engine Registration page is displayed in a new browser tab and the OTC is passed to the engine as URL query parameter.
  2. User authenticates using a local engine sysadmin username/password.
  3. User clicks Connect.

Registration with Data Control Tower

  1. The agent sends a registration request to Data Control Tower with the OTC.
    1. Security check - Browser details are compared to those recorded at the time of OTC generation, this enforces that the browser that was used to initiate Engine registration is the same used to complete it.
  2. Data Control Tower sends a request to Okta to create an OAuth2 client credentials application.
  3. Delphix uses Okta to generate and return OAuth2 client id/secret pair for the application.
  4. Data Control Tower sends a request to Okta to create a SAML application.
  5. Okta returns SAML metadata.
  6. Data Control Tower returns the client credentials (id and secret) and SAML metadata to the agent/engine.
  7. Engine configures SAML based SSO using metadata.

Access Token Request

  1. Delphix Engine requests an OAuth2 access token from Data Control Tower.
    1. Using client id and secret.
  2. Data Control Tower proxies the request to Okta.
  3. Okta generates, signs and returns the access token.
  4. Data Control Tower returns the OAuth2 access token to the agent.

Engine to Data Control Tower Requests

  • Delphix Engine communicates with Data Control Tower API using the OAuth2 access token.