• Glossary
  • Support
  • Downloads
  • DataStax Home
Get Live Help
Expand All
Collapse All

DataStax Astra DB Serverless Documentation

    • Overview
      • Release notes
      • Astra DB FAQs
      • Astra DB Architecture FAQ
      • CQL for Astra
      • Astra DB glossary
      • Get support
    • Getting Started
      • Vector Search Quickstart
      • Create your database
      • Grant a user access
      • Load and retrieve data
        • Use DSBulk to load data
        • Use Data Loader in Astra Portal
      • Connect a driver
      • Build sample apps
    • Vector Search
      • Quickstart
      • Examples
      • Query vector data with CQL
        • Using analyzers
      • Working with embeddings
      • Indexing
      • About Vector Search
    • Planning
      • Plan options
      • Database regions
    • Securing
      • Security highlights
      • Security guidelines
      • Default user permissions
      • Change your password
      • Reset your password
      • Authentication and Authorization
      • Astra DB Plugin for HashiCorp Vault
    • Connecting
      • Connecting private endpoints
        • AWS Private Link
        • Azure Private Link
        • GCP Private Endpoints
        • Connecting custom DNS
      • Connecting Change Data Capture (CDC)
      • Connecting CQL console
      • Connect the Spark Cassandra Connector to Astra
      • Drivers for Astra DB
        • Connecting C++ driver
        • Connecting C# driver
        • Connecting Java driver
        • Connecting Node.js driver
        • Connecting Python driver
        • Connecting Legacy drivers
        • Drivers retry policies
      • Get Secure Connect Bundle
    • Migrating
      • Components
      • FAQs
      • Preliminary steps
        • Feasibility checks
        • Deployment and infrastructure considerations
        • Create target environment for migration
        • Understand rollback options
      • Phase 1: Deploy ZDM Proxy and connect client applications
        • Set up the ZDM Proxy Automation with ZDM Utility
        • Deploy the ZDM Proxy and monitoring
        • Configure Transport Layer Security
        • Connect client applications to ZDM Proxy
        • Leverage metrics provided by ZDM Proxy
        • Manage your ZDM Proxy instances
      • Phase 2: Migrate and validate data
        • Cassandra Data Migrator
        • DSBulk Migrator
      • Phase 3: Enable asynchronous dual reads
      • Phase 4: Change read routing to Target
      • Phase 5: Connect client applications directly to Target
      • Troubleshooting
        • Troubleshooting tips
        • Troubleshooting scenarios
      • Glossary
      • Contribution guidelines
      • Release Notes
    • Managing
      • Managing your organization
        • User permissions
        • Pricing and billing
        • Audit Logs
        • Delete an account
        • Bring Your Own Key
          • BYOK AWS Astra Portal
          • BYOK GCP Astra Portal
          • BYOK AWS DevOps API
          • BYOK GCP DevOps API
        • Configuring SSO
          • Configure SSO for Microsoft Azure AD
          • Configure SSO for Okta
          • Configure SSO for OneLogin
      • Managing your database
        • Create your database
        • View your databases
        • Database statuses
        • Use DSBulk to load data
        • Use Data Loader in Astra Portal
        • Monitor your databases
        • Export metrics to third party
          • Export metrics via Astra Portal
          • Export metrics via DevOps API
        • Manage access lists
        • Manage multiple keyspaces
        • Using multiple regions
        • Terminate your database
      • Managing with DevOps API
        • Managing database lifecycle
        • Managing roles
        • Managing users
        • Managing tokens
        • Managing BYOK AWS
        • Managing BYOK GCP
        • Managing access list
        • Managing multiple regions
        • Get private endpoints
        • AWS PrivateLink
        • Azure PrivateLink
        • GCP Private Service
    • API QuickStarts
      • JSON API QuickStart
      • Document API QuickStart
      • REST API QuickStart
      • GraphQL CQL-first API QuickStart
    • Developing with APIs
      • Developing with JSON API
      • Developing with Document API
      • Developing with REST API
      • Developing with GraphQL API
        • Developing with GraphQL API (CQL-first)
        • Developing with GraphQL API (Schema-first)
      • Developing with gRPC API
        • gRPC Rust Client
        • gRPC Go Client
        • gRPC Node.js Client
        • gRPC Java Client
      • Developing with CQL API
      • Tooling Resources
      • Node.js Document Collection Client
      • Node.js REST Client
    • API References
      • Astra DB JSON API v1
      • Astra DB REST API v2
      • Astra DB Document API v2
      • Astra DB DevOps API v2
    • Integrations
    • Astra CLI
    • Astra Block
      • Quickstart
      • FAQ
      • Data model
      • About NFTs
  • DataStax Astra DB Serverless Documentation
  • Managing
  • Managing your organization
  • Configuring SSO

Configuring single sign-on

As the Organization Administrator, setting up single sign-on (SSO) is crucial to managing access to various applications. SSO allows for a seamless sign-on experience, and gives centralized and streamlined access control to security operations teams.

Key functions

DataStax Astra DB integrates with your Security Assertion Markup Language (SAML)-capable identity providers (IdP) to manage the access to your organization and verify user permission.

Ensure you have been granted permission to Astra DB from your IdP before testing the configuration or the test will fail.

The following workflow explains the SSO process:

sso workflow line

Just-in-Time provisioning

JIT provisioning is a method of dynamically creating a user account for a user who does not already have an Astra account, but has been granted access to an Astra organization through an IdP. The first time the user logs on with SSO their account is automatically created and added to the Astra Organization associated with the SSO configuration, mitigating the need to use the manual Astra invitation feature. When first created, JIT provisioned accounts are given a default set of permissions. The organization administrator can adjust these permissions for each user as needed.

JIT provisioning is automatically enabled with any organization with an active SSO configuration.

The user must accept DataStax Terms and Conditions. The user is then redirected to their Astra DB dashboard.

Configuring SSO

To configure single sign-on with your organization, select your identity provider (IdP) to get started:

  • Microsoft Azure AD

  • Okta

  • OneLogin

After you configure and activate the IdP, you can only log in and access Astra DB through the IdP. If you log in through your IdP, you are authenticated by your IdP and redirected to your Astra DB dashboard with your organization.

SSO Login

Complete the login through the configured IdP when SSO has been enabled. You cannot log in through your Astra Portal using non-SSO Astra credentials.

Starting from your IdP

  1. Log in to your IdP and access the dashboard.

  2. Select the Astra application; you are redirected to Astra.

  3. Astra determines if an account already exists with the email address entered for your login.

    1. If so, you are logged into that existing account.

    2. If an existing account is not found, a new account is created automatically.

  4. If this is your first time accessing the Astra application with this account, a dialog box appears prompting you to accept the DataStax Terms and Conditions. Review the information and click Accept.

DS TC

Your organization dashboard appears on the next page.

Different vendors use different terminology with various fields with SSO. Use the following table with your reference.
DataStax/ Azure AD Okta OneLogin

SAML Assertion Consumer Service (ACS) URL

Reply URL

Single sign on URL

ACS (Consumer URL)

Audience URI

Identifier (Entity ID)

Audience URI (SP Entity ID)

Audience

Relay State

Relay State

Default Relay State

Relay State

Sign on URL

Login URL

Identity Provider Single Sign-On URL

SAML 2.0 Endpoint

Identity Provider Issuer

Azure AD Identifier

Identity Provider Issuer

Issuer URL

x.509 Certificate

SAML Signing Certificate

x.509 Certificate

x.509 Certificate
BYOK GCP DevOps API Configure SSO for Microsoft Azure AD

General Inquiries: +1 (650) 389-6000 info@datastax.com

© DataStax | Privacy policy | Terms of use

DataStax, Titan, and TitanDB are registered trademarks of DataStax, Inc. and its subsidiaries in the United States and/or other countries.

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Kubernetes is the registered trademark of the Linux Foundation.

landing_page landingpage