Configure single sign-on for Astra
Single sign-on (SSO) enables a seamless sign-on experience for users and a centralized access control method for security operations teams.
When you enable SSO for an Astra organization, users access your Astra organization through their identity provider (IdP) dashboard. The first time a user does this, Astra can find the user’s existing Astra account or create a new account through Just-in-Time (JIT) provisioning.
Existing accounts are granted access to the organization associated with the SSO configuration. If the user was invited to the organization, they are granted the role defined in their invitation. JIT accounts are assigned a read-only role in the associated organization.
Aside from sign in and initial organization access, Astra RBAC isn’t controlled through the IdP. The Organization Administrator must edit user roles and remove users through the Astra Portal.
Removing a user from your IdP doesn’t remove the user from your Astra organization, and it doesn’t delete the user’s Astra account. After removing a user from your IdP, you must also remove the user from your Astra organization. |
Prerequisites
To manage SSO for Astra, you need the following permissions:
-
In Astra, you need the Organization Administrator role or a custom role with Read External Auth and Write External Auth permissions.
-
In your IdP, you need administrator access or permission to create or edit SAML SSO app integrations.
Add an identity provider
Astra supports any SAML-compatible identity provider (IdP), including Microsoft Entra ID (formerly Microsoft Azure AD), Okta, OneLogin, Google Identity Platform, and Ping Identity.
To enable SSO in Astra, you must connect your IdP to your Astra organization so they can exchange information, and then activate the SSO configuration.
-
In the Astra Portal header, click settings Settings.
-
In the Settings navigation menu, click the name of the active organization, and then select the organization where you want to configure SSO.
If the organization belongs to an enterprise, select the enterprise, and then select the organization in the Organizations list.
You cannot configure SSO for your default (personal) organization.
-
In the Settings navigation menu, click Security.
-
Click Add Identity Provider.
-
Enter a name for the SSO configuration.
-
Select the IdP that you want to use. If your IdP isn’t listed, select Other.
After you select a provider, Astra automatically generates SAML URLs. It can take a few seconds to generate the URLs. If you switch providers, allow some time for the SAML URLs to refresh.
-
Open a new browser tab or window, and then sign in to your IdP’s administration platform to configure the Astra SSO integration.
-
Microsoft Entra ID
-
Okta
-
OneLogin
-
Other
-
In the Entra ID admin center, create an enterprise application for this Astra SSO integration.
If you plan to enable SSO for multiple Astra organizations, consider including the organization name in the application name.
-
In the application’s settings, click Single sign-on, and then select SAML.
The following steps explain the SAML SSO configuration for Astra in Entra ID. For more information, see Enable SAML single sign-on for an Entra ID enterprise application.
-
In the application’s Basic SAML Configuration, enter the values for Identifier (Entity ID), Reply URL, and Relay State that are provided in the Astra Portal.
-
In the application’s User Attributes & Claims, configure claims mappings that are required for Astra to identify existing user accounts and perform JIT provisioning for new accounts.
The Namespace field must be empty for these mappings.
Claim name Namespace Source attribute Unique User Identifier (Name ID)
Empty
user.userprincipalname
Must map to an attribute that is in email format and appropriate for Astra account IDs (usernames), which are email addresses. These email addresses are visible in the Astra Portal, and Astra administrators use them to manage users in organizations and enterprises.
email
Empty
user.mail
firstName
Empty
user.givenname
lastName
Empty
user.surname
-
From the application’s Single sign-on settings, transfer the following values to the corresponding fields in the Astra Portal:
-
Copy the Sign on URL, and then paste it into the Login URL field.
-
Copy the Microsoft Entra Identifier, and then paste it into the Azure AD Identifier field.
-
Download the application’s raw SAML certificate, and then paste the certificate into the SAML Signing Certificate field.
-
-
In the Okta admin console, create a SAML app integration for Astra.
If you plan to enable SSO for multiple Astra organizations, consider including the organization name in the application name.
-
In the integration’s general SAML settings, enter the values for Audience URI, Single sign on URL, and Default Relay State that are provided in the Astra Portal.
-
Set the Name ID format to EmailAddress, and then map it to
user.email
.This setting must map to an attribute that is in email format and appropriate for Astra account IDs (usernames), which are email addresses. These email addresses are visible in the Astra Portal, and Astra administrators use them to manage users in organizations and enterprises.
-
Add the following attribute statements that are required for Astra to identify existing user accounts and perform JIT provisioning for new accounts:
Attribute name Mapping Description email
user.email
Must map to the same attribute as the Name ID.
firstName
user.firstName
The user’s first name or given name
lastName
user.lastName
The user’s last name or surname
-
From the Okta application, get the values for Identity Provider Single Sign-On URL, Identity Provider Issuer, and x.509 Certificate, and then enter these values in the corresponding fields in the Astra Portal.
-
In the OneLogin admin portal, create a SAML Custom Connector application.
If you plan to enable SSO for multiple Astra organizations, consider including the organization name in the application name.
-
In the application’s Configuration settings, enter the values for Audience, ACS (Consumer) URL, and Relay State that are provided in the Astra Portal.
-
In the application’s Parameters settings, configure attribute mappings that are required for Astra to identify existing user accounts and perform JIT provisioning for new accounts:
Attribute Mapping Description email
Email
Must map to an attribute that is in email format and appropriate for Astra account IDs (usernames), which are email addresses. These email addresses are visible in the Astra Portal, and Astra administrators use them to manage users in organizations and enterprises.
firstName
First Name
The user’s first name or given name
lastName
Last Name
The user’s last name or surname
-
From the OneLogin application, get the values for SAML 2.0 Endpoint, Issuer URL, and x.509 Certificate, and then enter these values in the corresponding fields in the Astra Portal.
-
In your IdP’s admin console, create a SAML SSO app integration for Astra.
If you plan to enable SSO for multiple Astra organizations, consider including the organization name in the integration’s name.
-
In the integration’s settings, enter the values for Audience URI, SAML Assertion Consumer Service (ACS) URL, and Relay State that are provided in the Astra Portal.
For more information, see your IdP’s documentation.
-
Configure attribute mappings that are required for Astra to identify existing user accounts and perform JIT provisioning for new accounts:
-
Map the
email
field to an attribute that is in email format and appropriate for Astra account IDs (usernames), which are email addresses.These email addresses are visible in the Astra Portal, and Astra administrators use them to manage users in organizations and enterprises.
-
Map the
firstName
field to an attribute representing the user’s first name or given name. -
Map the
lastName
field to an attribute representing the user’s last name or surname.
-
-
From the integration’s settings, get the values for Identity Provider Single Sign-On URL, Identity Provider Issuer, and x.509 Certificate, and then enter these values in the corresponding fields in the Astra Portal.
-
-
Click Test Configuration to verify the configuration before activating it.
-
Optional: To add the Astra logo to your IdP dashboard, click Download Astra Logo, and then add the logo to your SSO application or integration settings in your IdP.
This helps users to easily find Astra in your IdP.
You can download the icon only during initial configuration.
-
Click Activate SSO.
After you activate an SSO configuration, users in the associated Astra organization must use your designated IdP to sign in to Astra.
If you aren’t ready to activate this SSO configuration, you can save it as a draft. To activate a draft SSO configuration, see Edit an SSO configuration.
Sign in with SSO
You can sign in to the Astra Portal through your IdP if an Organization Administrator has enabled SSO.
Sign in to your IdP platform, select the Astra application, and then follow the prompts to sign in.
The first time you access the Astra application, you must review the DataStax terms and conditions.
Upon sign in, Astra determines if an account already exists for the email address associated with your IdP profile. If an account exists, you are signed in to your existing account. If an account does not exist, then Astra creates a new account automatically.
The default user session timeout is approximately two hours unless your administrator specifies a different timeout in the Astra application configuration in your IdP or your IdP has a different default timeout setting.
Edit an SSO configuration
You can edit an active SSO configuration or activate a draft configuration:
-
In the Astra Portal header, click settings Settings.
-
In the Settings navigation menu, click the name of the active organization, and then select the organization you want to edit.
If the organization belongs to an enterprise, select the enterprise, and then select the organization in the Organizations list.
-
In the Settings navigation menu, click Security.
-
Find the SSO configuration you need to edit, click more_vert More, and then select Edit.
-
Make the necessary changes, and then save or activate the configuration.
Renew an SSO certificate
All users, including administrators, are locked out of the Astra Portal if you renew the certificate before you disable the existing SSO configuration in the Astra Portal. |
If you need to renew the SSO certificate, you must remove the existing SSO configuration, and then create and activate a new configuration with the new certificate:
-
Follow the steps to delete the existing SSO configuration.
-
Create and activate a new SSO configuration, as explained in Add an identity provider, with the following modifications:
-
Edit the existing Astra app integration in your IdP instead of creating a new one.
-
Make sure you use the new certificate for the new SSO configuration.
-
Delete an SSO configuration
If you no longer want members of your organization to authenticate through your IdP to access your Astra organization, you can delete the configuration.
Deleting an SSO configuration is permanent and irreversible. Deleting an SSO configuration doesn’t remove users from your Astra organization or delete their Astra accounts. Users can still access your organization through other sign in options (GitHub, Google, or username and password), if they have access to the email address associated with their account. |
-
In the Astra Portal header, click settings Settings.
-
In the Settings navigation menu, click the name of the active organization, and then select the organization where you want to delete an SSO configuration.
If the organization belongs to an enterprise, select the enterprise, and then select the organization in the Organizations list.
-
In the Settings navigation menu, click Security.
-
Find the SSO configuration you want to delete, click more_vert More, and then select Delete.
-
To confirm the deletion, enter
delete
, and then click Delete SSO Authentication.