Configure single sign-on for Astra

Single sign-on (SSO) enables a seamless sign-on experience for users and a centralized access control method for security operations teams.

Astra supports any SAML-compatible identity provider (IdP), including Microsoft Entra ID (formerly Microsoft Azure AD), Okta, OneLogin, Google Identity Platform, and Ping Identity.

When you enable SSO for an Astra organization, users access your Astra organization through their identity provider (IdP) dashboard. The integration automatically searches for an existing Astra account based on the email address in a user’s IdP profile. If no matching account is found, it creates a new account through Just-in-Time (JIT) provisioning. For more information, see Sign in with SSO.

Aside from sign in and initial organization access, Astra RBAC isn’t controlled through the IdP. The Organization Administrator must edit user roles and remove users through the Astra Portal.

Removing a user from your IdP doesn’t remove the user from your Astra organization, and it doesn’t delete the user’s Astra account. After removing a user from your IdP, you must also remove the user from your Astra organization.

To use your IdP for entitlement management in addition to SSO, you must also enable SCIM for Astra.

Prerequisites

Add an identity provider

Astra supports any SAML-compatible identity provider (IdP), including Microsoft Entra ID (formerly Microsoft Azure AD), Okta, OneLogin, Google Identity Platform, and Ping Identity.

To enable SSO in Astra, you must connect your IdP to your Astra organization so they can exchange information, and then activate the SSO configuration.

The general process is the same for all IdPs with the exception of the IdP app and IdP-specific fields.

Configure Microsoft Entra ID

  1. In the Astra Portal header, click Settings.

  2. In the Settings navigation menu, make sure the enterprise/organization filter is set to the organization that you want to manage.

    If the organization belongs to an enterprise, you must filter on the enterprise, and then click the organization name in the Organizations list.

    You cannot configure SSO for any default (personal) organization, including default organizations that belong to other users.

    You cannot configure SSO at the enterprise level.

  3. In the Settings navigation menu, click Security.

  4. Click Add Identity provider.

  5. Enter a name for the SSO configuration.

  6. Select Microsoft Entra ID as the IdP.

    After you select a provider, Astra automatically generates SAML URLs. It can take a few seconds to generate the URLs. If you switch providers, allow some time for the SAML URLs to refresh.

  7. In a new browser tab or window, sign in to the Entra ID admin center, and then create an enterprise application for this Astra SSO integration.

    If you plan to enable SSO for multiple Astra organizations, consider including the organization name in the application name.

  8. In the application’s settings, click Single sign-on, and then select SAML.

    The following steps explain the SAML SSO configuration for Astra in Entra ID. For more information, see Enable SAML single sign-on for an Entra ID enterprise application.

  9. In the application’s Basic SAML Configuration, enter the values for Identifier (Entity ID), Reply URL, and Relay State that are provided in the Astra Portal.

  10. In the application’s User Attributes & Claims, configure claims mappings that are required for Astra to identify existing user accounts and perform JIT provisioning for new accounts.

    The Namespace field must be empty for these mappings.
    Claim name Namespace Source attribute

    Unique User Identifier (Name ID)

    Empty

    user.userprincipalname

    Must map to an attribute that is in email format and appropriate for Astra account IDs (usernames), which are email addresses. These email addresses are visible in the Astra Portal, and Astra administrators use them to manage users in organizations and enterprises.

    email

    Empty

    user.mail

    firstName

    Empty

    user.givenname

    lastName

    Empty

    user.surname

  11. From the application’s Single sign-on settings, transfer the following values to the corresponding fields in the Astra Portal:

    1. Copy the Sign on URL, and then paste it into the Login URL field.

    2. Copy the Microsoft Entra Identifier, and then paste it into the Azure AD Identifier field.

    3. Download the application’s raw SAML certificate, and then paste the certificate into the SAML Signing Certificate field.

  12. Click Test Configuration to verify the configuration before activating it.

  13. Optional: To add the Astra logo to your IdP dashboard, click Download Astra Logo, and then add the logo to your SSO application or integration settings in your IdP.

    This helps users to easily find Astra in your IdP.

    You can download the icon only during initial configuration.

  14. Activate the configuration or save it as a draft:

    • Save and activate: Click Activate SSO. After you activate an SSO configuration, users in the associated Astra organization must use your designated IdP to sign in to Astra.

    • Save as draft (inactive): Click Cancel, and then click Save as draft. To activate a draft SSO configuration, see Edit an SSO configuration.

  15. Optional: To use your IdP for entitlement management in addition to SSO, you must also enable SCIM for Astra.

Configure Okta

  1. In the Astra Portal header, click Settings.

  2. In the Settings navigation menu, make sure the enterprise/organization filter is set to the organization that you want to manage.

    If the organization belongs to an enterprise, you must filter on the enterprise, and then click the organization name in the Organizations list.

    You cannot configure SSO for any default (personal) organization, including default organizations that belong to other users.

    You cannot configure SSO at the enterprise level.

  3. In the Settings navigation menu, click Security.

  4. Click Add Identity provider.

  5. Enter a name for the SSO configuration.

  6. Select Okta as the IdP.

    After you select a provider, Astra automatically generates SAML URLs. It can take a few seconds to generate the URLs. If you switch providers, allow some time for the SAML URLs to refresh.

  7. In a new browser tab or window, sign in to the Okta admin console, and then create a SAML app integration for Astra.

    If you plan to enable SSO for multiple Astra organizations, consider including the organization name in the application name.

  8. In the integration’s general SAML settings, enter the values for Audience URI, Single sign on URL, and Default Relay State that are provided in the Astra Portal.

  9. Set the Name ID format to EmailAddress, and then map it to user.email.

    This setting must map to an attribute that is in email format and appropriate for Astra account IDs (usernames), which are email addresses. These email addresses are visible in the Astra Portal, and Astra administrators use them to manage users in organizations and enterprises.

  10. Add the following attribute statements that are required for Astra to identify existing user accounts and perform JIT provisioning for new accounts:

    Attribute name Mapping Description

    email

    user.email

    Must map to the same attribute as the Name ID.

    firstName

    user.firstName

    The user’s first name or given name

    lastName

    user.lastName

    The user’s last name or surname

  11. From the Okta application, get the values for Identity Provider Single Sign-On URL, Identity Provider Issuer, and x.509 Certificate, and then enter these values in the corresponding fields in the Astra Portal.

  12. Click Test Configuration to verify the configuration before activating it.

  13. Optional: To add the Astra logo to your IdP dashboard, click Download Astra Logo, and then add the logo to your SSO application or integration settings in your IdP.

    This helps users to easily find Astra in your IdP.

    You can download the icon only during initial configuration.

  14. Activate the configuration or save it as a draft:

    • Save and activate: Click Activate SSO. After you activate an SSO configuration, users in the associated Astra organization must use your designated IdP to sign in to Astra.

    • Save as draft (inactive): Click Cancel, and then click Save as draft. To activate a draft SSO configuration, see Edit an SSO configuration.

  15. Optional: To use your IdP for entitlement management in addition to SSO, you must also enable SCIM for Astra.

Configure OneLogin

  1. In the Astra Portal header, click Settings.

  2. In the Settings navigation menu, make sure the enterprise/organization filter is set to the organization that you want to manage.

    If the organization belongs to an enterprise, you must filter on the enterprise, and then click the organization name in the Organizations list.

    You cannot configure SSO for any default (personal) organization, including default organizations that belong to other users.

    You cannot configure SSO at the enterprise level.

  3. In the Settings navigation menu, click Security.

  4. Click Add Identity provider.

  5. Enter a name for the SSO configuration.

  6. Select OneLogin as the IdP.

    After you select a provider, Astra automatically generates SAML URLs. It can take a few seconds to generate the URLs. If you switch providers, allow some time for the SAML URLs to refresh.

  7. In a new browser tab or window, sign in to the OneLogin admin portal, and then create a SAML Custom Connector application.

    If you plan to enable SSO for multiple Astra organizations, consider including the organization name in the application name.

  8. In the application’s Configuration settings, enter the values for Audience, ACS (Consumer) URL, and Relay State that are provided in the Astra Portal.

  9. In the application’s Parameters settings, configure attribute mappings that are required for Astra to identify existing user accounts and perform JIT provisioning for new accounts:

    Attribute Mapping Description

    email

    Email

    Must map to an attribute that is in email format and appropriate for Astra account IDs (usernames), which are email addresses. These email addresses are visible in the Astra Portal, and Astra administrators use them to manage users in organizations and enterprises.

    firstName

    First Name

    The user’s first name or given name

    lastName

    Last Name

    The user’s last name or surname

  10. From the OneLogin application, get the values for SAML 2.0 Endpoint, Issuer URL, and x.509 Certificate, and then enter these values in the corresponding fields in the Astra Portal.

  11. Click Test Configuration to verify the configuration before activating it.

  12. Optional: To add the Astra logo to your IdP dashboard, click Download Astra Logo, and then add the logo to your SSO application or integration settings in your IdP.

    This helps users to easily find Astra in your IdP.

    You can download the icon only during initial configuration.

  13. Activate the configuration or save it as a draft:

    • Save and activate: Click Activate SSO. After you activate an SSO configuration, users in the associated Astra organization must use your designated IdP to sign in to Astra.

    • Save as draft (inactive): Click Cancel, and then click Save as draft. To activate a draft SSO configuration, see Edit an SSO configuration.

  14. Optional: To use your IdP for entitlement management in addition to SSO, you must also enable SCIM for Astra.

Configure other SAML-compatible IdPs

  1. In the Astra Portal header, click Settings.

  2. In the Settings navigation menu, make sure the enterprise/organization filter is set to the organization that you want to manage.

    If the organization belongs to an enterprise, you must filter on the enterprise, and then click the organization name in the Organizations list.

    You cannot configure SSO for any default (personal) organization, including default organizations that belong to other users.

    You cannot configure SSO at the enterprise level.

  3. In the Settings navigation menu, click Security.

  4. Click Add Identity provider.

  5. Enter a name for the SSO configuration.

  6. Select Other as the IdP.

    After you select a provider, Astra automatically generates SAML URLs. It can take a few seconds to generate the URLs. If you switch providers, allow some time for the SAML URLs to refresh.

  7. In a new browser tab or window, sign in to your IdP’s admin console, and then create a SAML SSO app integration for Astra.

    If you plan to enable SSO for multiple Astra organizations, consider including the organization name in the application name.

  8. In the application’s settings, enter the values for Audience URI, SAML Assertion Consumer Service (ACS) URL, and Relay State that are provided in the Astra Portal.

    For more information, see your IdP’s documentation.

  9. Configure attribute mappings that are required for Astra to identify existing user accounts and perform JIT provisioning for new accounts:

    • Map the email field to an attribute that is in email format and appropriate for Astra account IDs (usernames), which are email addresses. These email addresses are visible in the Astra Portal, and Astra administrators use them to manage users in organizations and enterprises.

    • Map the firstName field to an attribute representing the user’s first name or given name.

    • Map the lastName field to an attribute representing the user’s last name or surname.

  10. From the application’s settings, get the values for Identity Provider Single Sign-On URL, Identity Provider Issuer, and x.509 Certificate, and then enter these values in the corresponding fields in the Astra Portal.

  11. Click Test Configuration to verify the configuration before activating it.

  12. Optional: To add the Astra logo to your IdP dashboard, click Download Astra Logo, and then add the logo to your SSO application or integration settings in your IdP.

    This helps users to easily find Astra in your IdP.

    You can download the icon only during initial configuration.

  13. Activate the configuration or save it as a draft:

    • Save and activate: Click Activate SSO. After you activate an SSO configuration, users in the associated Astra organization must use your designated IdP to sign in to Astra.

    • Save as draft (inactive): Click Cancel, and then click Save as draft. To activate a draft SSO configuration, see Edit an SSO configuration.

  14. Optional: To use your IdP for entitlement management in addition to SSO, you must also enable SCIM for Astra.

Sign in with SSO

You can sign in to the Astra Portal through your IdP if an Organization Administrator has enabled SSO.

Sign in to your IdP platform, select the Astra application on your IdP dashboard, and then follow the prompts to sign in.

The first time you access the Astra application, you must review the DataStax terms and conditions.

Upon sign in, Astra does the following:

  1. Attempts to find an existing Astra account by matching the email address associated with the user’s IdP profile.

    Existing accounts are granted access to the organization associated with the SSO configuration, in addition to any other organizations the account already belongs to.

    If the user was invited to the organization, then they are granted the role defined in their invitation. If the user was already a member of the organization, then they retain their existing role assignment.

  2. Creates a new account through Just-in-Time (JIT) provisioning if no matching account exists.

    JIT accounts are assigned a read-only role in the associated organization.

The IdP and SSO integration cannot edit Astra role assignments, with the exception of read-only roles for JIT provisioning. An Organization Administrator (or a similarly privileged user) must edit role assignments in Astra regardless of the user’s sign-in method.

The default user session timeout is approximately two hours. The timeout can vary if your IdP has a different default timeout setting, or the IdP administrator specifies a different timeout in the Astra application’s configuration.

Access other organizations and enterprises after signing in with SSO

Astra SSO is configured at the organization level, but it doesn’t restrict a user from accessing other organizations after they sign in to the Astra Portal.

Interacting with the Astra app on the IdP dashboard does the following:

  • Authenticates the user to the Astra Portal through an Astra account that is based on the email address on the user’s IdP profile.

  • If an account with the same email address exists, the user is authenticated to the existing account. If no such account exists, a new account is created through JIT provisioning, and the user is authenticated to the new account.

  • Checks if the user’s Astra account (email address) has a role assignment in the SSO-enabled organization. If there is no role assignment, then the user is granted a read-only role by default.

Astra accounts aren’t organization specific. Therefore, a user can be invited to any other organization or enterprise through the same email address. After signing in to the Astra Portal through the IdP dashboard, the user can access all organizations and enterprises that their Astra account (email address) has been invited to, regardless of the SSO configuration for those organizations.

Edit an SSO configuration

You can edit an active SSO configuration or activate a draft configuration:

  1. In the Astra Portal header, click Settings.

  2. In the Settings navigation menu, make sure the enterprise/organization filter is set to the organization that you want to manage.

    If the organization belongs to an enterprise, you must filter on the enterprise, and then click the organization name in the Organizations list.

  3. In the Settings navigation menu, click Security.

  4. Find the SSO configuration you need to edit, click More, and then select Edit.

  5. Make the necessary changes, and then save or activate the configuration.

Renew an SSO certificate

All users, including administrators, are locked out of the Astra Portal if you change the settings for an active Astra app integration in your IdP, including renewing the certificate.

If you need to renew the SSO certificate, you must create a new SSO configuration with a new certificate, and then remove the existing SSO configuration:

  1. Create a new SSO configuration, including a new app integration in your IdP, as explained in Add an identity provider.

    Make sure the new configuration’s name is memorable and distinguishable from the existing SSO configuration.

  2. Delete or disable the existing SSO configuration.

    Disabling the existing SSO configuration allows you to roll back to it if you encounter issues with the new configuration.

    You can delete or disable the existing configuration before or after activating the new configuration. If you do this before activating the new configuration, users lose SSO access until you activate the new configuration.

Delete or disable an SSO configuration

If you want to temporarily deactivate an SSO configuration, you can disable it.

Alternatively, if you no longer want to allow IdP authentication for your Astra organization, you can delete the SSO configuration.

Deleting an SSO configuration is permanent and irreversible.

Deleting an SSO configuration doesn’t remove users from your Astra organization or delete their Astra accounts. Users can still access your organization through other sign in options (GitHub, Google, IBMid, or username and password), if they have access to the email address associated with their account.

  1. In the Astra Portal header, click Settings.

  2. In the Settings navigation menu, make sure the enterprise/organization filter is set to the organization that you want to manage.

    If the organization belongs to an enterprise, you must filter on the enterprise, and then click the organization name in the Organizations list.

  3. In the Settings navigation menu, click Security.

  4. Find the SSO configuration you want to delete or disable, click More, and then select Delete or Disable.

  5. If you selected Delete, enter delete, and then click Delete SSO Authentication.

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2026 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM