Configure single sign-on for Astra

Single sign-on (SSO) enables a seamless sign-on experience for users and a centralized access control method for security operations teams.

Astra supports any SAML-compatible identity provider (IdP):

  • Microsoft Entra ID (formerly Microsoft Azure AD)

  • Okta

  • OneLogin

  • Google Identity Platform

  • Ping Identity

  • Any other SAML-compatible IdP

Astra supports Just-in-Time (JIT) provisioning, which creates an Astra account for a user who doesn’t already have an Astra account, but was granted access to an Astra organization through an IdP. The first time the user signs in to their account through SSO, their account is automatically created with a set of default permissions and added to the Astra organization that is associated with the SSO configuration. The Organization Administrator can adjust each user’s permissions as needed after their account is created.

Removing a user from your IdP does not remove the user from your Astra organization, and it does not delete the user’s Astra account. You must also remove the user from your organization.

To configure SSO in Astra, you must do the following:

  1. Connect your identity provider (IdP) to your Astra organization so they can exchange information.

  2. Test the connection.

  3. Activate SSO.

After you configure and activate SSO, users in the linked Astra organization must use your designated IdP to sign in to Astra.

Prerequisites

Add an identity provider

  1. In the Astra Portal header, click Settings.

  2. In the Settings navigation menu, click the name of the active organization, and then select the organization where you want to configure SSO.

    If the organization belongs to an enterprise, select the enterprise, and then select the organization in the Organizations list.

    You can’t configure SSO for your default (personal) organization.

  3. In the Settings navigation menu, click Security.

  4. Click Add Identity Provider.

  5. Enter a name for the SSO configuration.

  6. Select the identity provider (IdP) you want to use. If your IdP isn’t listed, select Other.

  7. In a new browser tab or window, sign in to your IdP administrator account, and then configure the Astra SSO integration in your IdP.

    • Azure AD

    • Okta

    • OneLogin

    • Other

    1. In Astra, copy the Reply URL, Identifier (Entity ID), and Relay State, and then enter these values in the corresponding fields in your Azure AD application. For more information, see the Azure AD documentation.

      Astra automatically generates SAML URLs.

    2. In your Azure AD application, map the following attributes to ensure Astra can identify existing Astra accounts and perform JIT provisioning for new accounts:

      • email: Must be in email format and map to an attribute that matches the user’s Astra account ID (email address) or an account ID for JIT provisioning

      • firstName: The user’s first name or given name

      • lastName: The user’s last name or surname

    3. In your Azure AD application, in the Attributes & Claims section, click the required claim, and then click the value for the Unique User Identifier (Name ID).

    4. In your Azure AD application, in the Manage claim section. ensure the Source attribute is in email format and maps to an attribute that matches the user’s Astra account ID or the account ID for JIT provisioning. Ensure the Namespace field is empty.

    5. In your Azure AD application, copy the Login URL, Azure AD Identifier, and SAML Signing Certificate, and then enter these values in the corresponding fields in Astra.

    1. In Astra, copy the Single sign on URL, Audience URI, and Default Relay State, and then enter these values in the corresponding fields in your Okta app. For more information, see the Okta documentation.

      Astra automatically generates SAML URLs.

    2. In your Okta application, map the following attributes to ensure Astra can identify existing Astra accounts and perform JIT provisioning for new accounts:

      • email: Must be in email format and map to an attribute that matches the user’s Astra account ID (email address) or the account ID for JIT provisioning

      • subject: Must be in email format with the same address as the email attribute

      • firstName: The user’s first name or given name

      • lastName: The user’s last name or surname

    3. In your Okta application, copy the Identity Provider Single Sign-On URL, Identity Provider Issuer, and x.509 Certificate, and then paste these values in the corresponding fields in Astra.

    1. In Astra, copy the ACS (Consumer) URL, Audience, and Relay State, and then enter these values in the corresponding fields in your OneLogin app. For more information, see the OneLogin documentation.

      Astra automatically generates SAML URLs.

    2. In your OneLogin application, map the following attributes to ensure Astra can identify existing Astra accounts and perform JIT provisioning for new accounts:

      • email: Must be in email format and map to an attribute that matches the user’s Astra account ID (email address) or the account ID for JIT provisioning

      • firstName: The user’s first name or given name

      • lastName: The user’s last name or surname

    3. In your OneLogin application, copy the SAML 2.0 Endpoint, Issuer URL, and x.509 Certificate, and then enter these values in the corresponding fields in Astra.

    1. In Astra, copy the Single sign on URL, Audience URI, and Default Relay State, and then enter these values in the corresponding fields in your IdP application. For more information, see your IdP’s documentation.

      Astra automatically generates SAML URLs.

    2. In your IdP application, map the following attributes to ensure Astra can identify existing Astra accounts and perform JIT provisioning for new accounts:

      • email: Must be in email format and map to an attribute that matches the user’s Astra account ID (email address) or the account ID for JIT provisioning

      • firstName: The user’s first name or given name

      • lastName: The user’s last name or surname

    3. In your IdP application, copy the Identity Provider Signle Sign-On URL, Identity Provider Issuer, and x.509 Certificate, and then enter these values in the corresponding fields in Astra.

  8. Optional: Download the Astra logo for your IdP dashboard:

    1. In Advanced settings, click Download Astra Logo, and then add the logo to your IdP. This helps users to easily find Astra in your IdP.

      You can download the icon only during initial configuration.

  9. Click Activate SSO.

    If you do not activate the configuration now, it is saved as a draft. You can activate it later by editing the configuration.

Sign in with SSO

You can sign in to the Astra Portal through your IdP if your Organization Administrator has enabled SSO.

Sign in to your IdP platform, select the Astra application, and then follow the prompts to sign in.

The first time you access the Astra application, you must review the DataStax terms and conditions.

Upon sign in, Astra determines if an account already exists for the email address associated with your sign-in credentials. If an account exists, you are signed in to your existing account. If an account does not exist, then Astra creates a new account automatically.

The default user session timeout is approximately two hours unless your administrator specifies a different timeout in the Astra application configuration in your IdP or your IdP has a different default timeout setting.

Edit an SSO configuration

You can edit an active SSO configuration or activate a draft configuration:

  1. In the Astra Portal header, click Settings.

  2. In the Settings navigation menu, click the name of the active organization, and then select the organization you want to edit.

    If the organization belongs to an enterprise, select the enterprise, and then select the organization in the Organizations list.

  3. In the Settings navigation menu, click Security.

  4. Find the SSO configuration you need to edit, click More, and then select Edit.

  5. Make the necessary changes, and then save or activate the configuration.

Delete an SSO configuration

If you no longer want members of your organization to authenticate through your IdP to access Astra DB Classic, you can delete the configuration.

Deleting an SSO configuration is permanent and irreversible.

Deleting an SSO configuration does not remove users from your Astra organization or delete their Astra accounts. Users can still access your organization through other sign in options (GitHub, Google, or username and password), if they have access to the email address associated with their account.

  1. In the Astra Portal header, click Settings.

  2. In the Settings navigation menu, click the name of the active organization, and then select the organization where you want to delete an SSO configuration.

    If the organization belongs to an enterprise, select the enterprise, and then select the organization in the Organizations list.

  3. In the Settings navigation menu, click Security.

  4. Find the SSO configuration you want to delete, click More, and then select Delete.

  5. To confirm the deletion, enter delete, and then click Delete SSO Authentication.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com