• Glossary
  • Support
  • Downloads
  • DataStax Home
Get Live Help
Expand All
Collapse All

DataStax Astra DB Classic Documentation

    • Overview
      • Release notes
      • Astra DB FAQs
      • Astra DB glossary
      • Get support
    • Getting Started
      • Create your database
      • Grant a user access
      • Load and retrieve data
        • Use DSBulk to load data
        • Use Data Loader in Astra Portal
      • Connect a driver
      • Build sample apps
      • Use integrations
    • Planning
      • Plan options
      • Database regions
    • Securing
      • Security highlights
      • Security guidelines
      • Default user permissions
      • Change your password
      • Reset your password
      • Authentication and Authorization
      • Astra DB Plugin for HashiCorp Vault
    • Connecting
      • Connecting to a VPC
      • Connecting Change Data Capture (CDC)
      • Connecting CQL console
      • Connect the Spark Cassandra Connector to Astra
      • Drivers for Astra DB
        • Connecting C++ driver
        • Connecting C# driver
        • Connecting Java driver
        • Connecting Node.js driver
        • Connecting Python driver
        • Connecting Legacy drivers
        • Drivers retry policies
      • Get Secure Connect Bundle
    • Migrating
      • Components
      • FAQs
      • Preliminary steps
        • Feasibility checks
        • Deployment and infrastructure considerations
        • Create target environment for migration
        • Understand rollback options
      • Phase 1: Deploy ZDM Proxy and connect client applications
        • Set up the ZDM Proxy Automation with ZDM Utility
        • Deploy the ZDM Proxy and monitoring
        • Configure Transport Layer Security
        • Connect client applications to ZDM Proxy
        • Leverage metrics provided by ZDM Proxy
        • Manage your ZDM Proxy instances
      • Phase 2: Migrate and validate data
        • Cassandra Data Migrator
        • DSBulk Migrator
      • Phase 3: Enable asynchronous dual reads
      • Phase 4: Change read routing to Target
      • Phase 5: Connect client applications directly to Target
      • Troubleshooting
        • Troubleshooting tips
        • Troubleshooting scenarios
      • Glossary
      • Contribution guidelines
      • Release Notes
    • Managing
      • Managing your organization
        • User permissions
        • Pricing and billing
        • Audit Logs
        • Bring Your Own Key
          • BYOK AWS DevOps API
        • Configuring SSO
          • Configure SSO for Microsoft Azure AD
          • Configure SSO for Okta
          • Configure SSO for OneLogin
      • Managing your database
        • Create your database
        • View your databases
        • Database statuses
        • Use DSBulk to load data
        • Use Data Loader in Astra Portal
        • Monitor your databases
        • Manage multiple keyspaces
        • Using multiple regions
        • Terminate your database
        • Resize your classic database
        • Park your classic database
        • Unpark your classic database
      • Managing with DevOps API
        • Managing database lifecycle
        • Managing roles
        • Managing users
        • Managing tokens
        • Managing multiple regions
        • Get private endpoints
        • AWS PrivateLink
        • Azure PrivateLink
        • GCP Private Service
    • Astra CLI
    • API QuickStarts
      • Document API QuickStart
      • REST API QuickStart
      • GraphQL CQL-first API QuickStart
    • Developing with APIs
      • Developing with Document API
      • Developing with REST API
      • Developing with GraphQL API
        • Developing with GraphQL API (CQL-first)
        • Developing with GraphQL API (Schema-first)
      • Developing with gRPC API
        • gRPC Rust Client
        • gRPC Go Client
        • gRPC Node.js Client
        • gRPC Java Client
      • Developing with CQL API
      • Tooling Resources
      • Node.js Document Collection Client
      • Node.js REST Client
    • API References
      • Astra DB JSON API v1
      • Astra DB REST API v2
      • Astra DB Document API v2
      • Astra DB DevOps API v2
  • DataStax Astra DB Classic Documentation
  • Managing
  • Managing your organization
  • Configuring SSO
  • Configure SSO for Microsoft Azure AD

Configuring single sign-on for Microsoft Azure AD

As the Organization Administrator, setting up single sign-on (SSO) is crucial to managing access to various applications. SSO allows for a seamless sign-on experience, and gives centralized and streamlined access control to security operations teams.

Prerequisites

To manage SSO settings, you must have the Read External Auth and the Write External Auth permissions. These permissions are included in the Organization Administrator role.

Ensure you map the following attributes in your IdP. They are required for Astra to identify your account and JIT provision new accounts.

  • email - Must be in email format and map to an attribute which matches the users Astra account ID (or desired account ID for JIT provisioning)

  • firstName - The user’s first name/given name

  • lastName - The user’s last name/surname

azure attributes

Click the claim, Unique User Identifier, and click its Value.

unique ID

Ensure the Source Attribute is in email format and maps to an attribute which matches the user’s Astra account ID (or desired account ID for JIT provisioning.) The Namespace field must also remain empty.

namespace sourceatt

Set up a Microsoft Azure AD Enterprise Application account to collect and add information for your IdP.

Adding identity provider

  1. From any page from Astra DB, select the Organizations dropdown. Select the organization for which you want to configure your SSO.

  2. Go to the left navigation and select Settings. Select Security Settings.

    If this is your first time configuring SSO, no identity providers (IdP) will be listed for your organization.

  3. Select Add Identity Provider.

  4. The Configure SSO page opens. Select Microsoft Azure AD as your IdP.

    The following fields display information you need to provide your IdP:

    • Reply URL

    • Identifier (Entity ID), also called "SP Identity ID"

    • Relay State, also called "Default Relay State"

    MS Azure linkIdP

  5. Copy and paste the provided Reply URL, Identifier (Entity ID), and Relay State into your Azure AD Enterprise App. For more information on configuring SSO, see the Azure AD documentation.

  6. From Azure AD, get your Login URL, Azure AD Identifier, and SAML Signing Certificate. To learn where to find this information, see the Azure AD documentation.

  7. Enter your Description, Login URL, Azure AD Identifier, and SAML Signing Certificate (Base64) for Azure AD into your Astra DB SSO configuration.

    MS Azure obtainIdP

  8. After confirming all the information is correct, scroll down and select Test Configuration.

    A new tab opens in the browser window housing your IdP log-in screens and flow. When you complete the login, the window closes.

    The Test Configuration is deemed successful when a confirmation icon appears beside the Test Configuration button.

    If the test was unsuccessful, review the SSO settings in Astra DB and your IdP console. If still unsuccessful, contact DataStax Support.

  9. Select Activate SSO when your test configuration is successful. A message appears confirming the SSO is now active for your selected organization.

Disabling your configuration

You can suspend any active configuration from your organization. The Disable option deactivates your active configuration.

If you disable your SSO configuration, users can access your organization without SSO authentication.

  1. Select the ellipsis (…​) next to your active configuration. Select Disable.

  2. A dialog box appears to confirm you want to disable this configuration. Type "disable" and select Disable SSO Configuration.

sso disableactive

Using identity provider drafts

To complete your configuration later, select Esc in your configuration to save the current information as a draft. All drafts and the active configuration appear on the table of the Single Sign-on (SSO) page.

sso drafts

  1. Select the ellipsis (…).

  2. Select either Edit or Delete:

    • Edit returns to the Configure SSO page to continue editing the draft and complete the SSO configuration.

    • Delete removes the row from the table and is permanent. This choice displays a dialog box. To delete the draft, type "delete" and select Delete SSO Authentication.

An organization can have have multiple configuration drafts, but only one active configuration.
sso draftactive

The Astra Icon

Optionally, the administrator can add the DataStax Astra logo to be recognizable to all users. Use the instructions below to download and add the logo.

Downloading the Astra Logo

  1. Open your Astra account and go to Settings in the left navigation.

  2. Select Security Settings. Scroll down to the Single Sign-on (SSO) box and click Add Identity Provider. Successfully complete the IdP configuration.

  3. Go to Advanced Settings and click Download Astra Logo.

You can only add the logo during configuration. When you successfully complete configuration, you are not able to return here to the logo.

Adding the Astra Logo

  1. Open Microsoft Azure AD and select Properties.

  2. There are several options to make changes here; the logo option is available.

  3. Click the blue folder and select the Astra logo.

  4. Click Save.

Azure logo

What’s next?

As needed, Update user permissions from the default JIT provision role.

Configuring SSO Configure SSO for Okta

General Inquiries: +1 (650) 389-6000 info@datastax.com

© DataStax | Privacy policy | Terms of use

DataStax, Titan, and TitanDB are registered trademarks of DataStax, Inc. and its subsidiaries in the United States and/or other countries.

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Kubernetes is the registered trademark of the Linux Foundation.

landing_page landingpage