Configure single sign-on
Single sign-on (SSO) enables a seamless sign-on experience for users and a centralized access control method for security operations teams. SSO is configured at the organization level in Astra.
Astra DB supports any SAML-compatible identity provider (IdP):
-
Microsoft Entra ID (formerly Microsoft Azure AD)
-
Okta
-
OneLogin
-
Google Identity Platform
-
Ping Identity
-
Any other SAML-compatible IdP
Astra DB also supports Just-in-Time (JIT) provisioning, which creates a user account for a user who doesn’t already have an Astra DB account, but was granted access to an Astra organization through an IdP. The first time the user signs in to their account through SSO, their account is automatically created with a set of default permissions and added to the Astra DB organization that is associated with the SSO configuration. The Organization Administrator can adjust each user’s permissions as needed after their account is created.
Prerequisites
To configure SSO, you must have the following:
-
An Organization Administrator role, or a custom role with Read External Auth and Write External Auth permissions.
-
An administrator-level account in your IdP.
-
An Astra DB app integration in your IdP.
Add an identity provider
To configure SSO, you connect your identity provider (IdP) to an Astra organization so they can exchange information, then you test the connection, and then activate SSO. You can optionally add the Astra logo to your IdP to allow users to easily locate Astra. After you configure and activate SSO, users in the organization must use the IdP to sign in to Astra.
-
In the Astra Portal navigation menu, switch to the organization where you want to configure SSO.
You can’t configure SSO for your default, personal organization.
-
Click Settings, and then click Security.
-
Click Add Identity Provider.
-
Enter a name for the SSO configuration.
-
Select the identity provider you want to use. If you don’t see your identity provider, select Other. SAML URLs are generated automatically.
-
Azure AD
-
Okta
-
OneLogin
-
Other
-
Copy and paste the Reply URL, Identifier (Entity ID), and Relay State from Astra to the corresponding fields in your Azure AD application. For more information on configuring SSO, see the Azure AD documentation.
-
In your Azure AD application, map the following attributes to ensure Astra can identify your account and perform JIT provisioning for new accounts:
-
email: Must be in email format and map to an attribute that matches the user’s Astra account ID or the account ID for JIT provisioning.
-
firstName: The user’s first name/given name.
-
lastName: The user’s last name/surname.
-
-
In your Azure AD application, in the Attributes & Claims section, click the required claim, and then click the value for the Unique User Identifier (Name ID).
-
In your Azure AD application, in the Manage claim section. ensure the Source attribute is in email format and maps to an attribute that matches the user’s Astra account ID or the account ID for JIT provisioning. Ensure the Namespace field is empty.
-
In your Azure AD application, copy your Login URL, Azure AD Identifier, and SAML Signing Certificate and paste them into the corresponding fields in Astra.
-
Optional: Under Advanced settings, click Download Astra Logo to download the Astra DB logo. Then, add the logo to your IdP.
You can download the icon only during the initial configuration.
-
Click Activate SSO.
If you do not activate the configuration now, it is saved as a draft. You can activate it later by editing the configuration.
-
Copy and paste the Single sign on URL, Audience URI, and Default Relay State from the Astra Portal to your Okta app. For more information on configuring SSO, see the Okta documentation.
-
In your Okta application, map the following attributes to ensure Astra can identify your account and perform JIT provisioning for new accounts:
-
email: Must be in email format and map to an attribute that matches the user’s Astra account ID or the account ID for JIT provisioning.
-
subject: Must be in email format with the same address as the email attribute.
-
firstName: The user’s first name/given name.
-
lastName: The user’s last name/surname.
-
-
In your Okta application, copy your Identity Provider Single Sign-On URL, Identity Provider Issuer, and x.509 Certificate and paste them into the fields in the Astra Portal.
-
Optional: Under Advanced settings, click Download Astra Logo to download the Astra DB logo. Then, add the logo to your IdP.
You can download the icon only during the initial configuration.
-
Click Activate SSO.
If you do not activate the configuration now, it is saved as a draft. You can activate it later by editing the configuration.
-
Copy and paste the ACS (Consumer) URL, Audience, and Relay State from the Astra Portal to your OneLogin app. For more information on configuring SSO, see the OneLogin documentation.
-
In your OneLogin application, map the following attributes to ensure Astra can identify your account and perform JIT provisioning for new accounts:
-
email: Must be in email format and map to an attribute that matches the user’s Astra account ID or the account ID for JIT provisioning.
-
firstName: The user’s first name/given name.
-
lastName: The user’s last name/surname.
-
-
In your OneLogin application, copy your SAML 2.0 Endpoint, Issuer URL, and x.509 Certificate and paste them into the fields in the Astra Portal.
-
Optional: Under Advanced settings, click Download Astra Logo to download the Astra DB logo. Then, add the logo to your IdP.
You can download the icon only during the initial configuration.
-
Click Activate SSO.
If you do not activate the configuration now, it is saved as a draft. You can activate it later by editing the configuration.
-
Copy and paste the Single sign on URL, Audience URI, and Default Relay State from the Astra Portal to your IdP app. For more information on configuring SSO, see the documentation for your IdP.
-
In your IdP application, map the following attributes to ensure Astra can identify your account and perform JIT provisioning for new accounts:
-
email: Must be in email format and map to an attribute that matches the user’s Astra account ID or the account ID for JIT provisioning.
-
firstName: The user’s first name/given name.
-
lastName: The user’s last name/surname.
-
-
In your IdP application, copy your Identity Provider Signle Sign-On URL, Identity Provider Issuer, and x.509 Certificate and paste them into the fields in the Astra Portal.
-
Optional: Under Advanced settings, click Download Astra Logo to download the Astra DB logo. Then, add the logo to your IdP.
You can download the icon only during the initial configuration.
-
Click Activate SSO.
If you do not activate the configuration now, it is saved as a draft. You can activate it later by editing the configuration.
Sign in with SSO
When you sign in with SSO, Astra determines if an account already exists for the email address that is connected to your sign-in credentials. If an account exists, you are signed in to that existing account. If an account does not exist, then a new account is created automatically.
-
Sign in to your IdP and access the dashboard.
-
Select the Astra application.
-
If this is your first time accessing the Astra application with this account, click Accept to accept the DataStax terms and conditions.
Edit an SSO configuration
Follow these steps to edit your configuration or to activate it if you did not complete the activation during the initial configuration.
-
In the Astra Portal, switch to the organization you need to manage.
-
Click Settings, and then click Security.
-
Locate the SSO configuration you need to edit, click
More, and then select Edit.
Delete an SSO configuration
If you no longer want members of your organization to authenticate through your IdP to access Astra DB Serverless, you can delete the configuration.
Deleting an SSO configuration is permanent and irreversible. |
-
In the Astra Portal, switch to the organization you need to manage.
-
Click Settings, and then click Security.
-
Locate the SSO configuration you need to edit, click
More, and then select Delete. -
To confirm the deletion, enter
delete
, and then click Delete SSO Authentication.