• Glossary
  • Support
  • Downloads
  • DataStax Home
Get Live Help
Expand All
Collapse All

DataStax Astra DB Serverless Documentation

    • Overview
      • Release notes
      • Astra DB FAQs
      • Astra DB glossary
      • Get support
    • Getting Started
      • Grant a user access
      • Load and retrieve data
        • Use DSBulk to load data
        • Use Data Loader in Astra Portal
      • Connect a driver
      • Build sample apps
      • Use integrations
        • Connect with DataGrip
        • Connect with DBSchema
        • Connect with JanusGraph
        • Connect with Strapi
    • Planning
      • Plan options
      • Database regions
    • Securing
      • Security highlights
      • Security guidelines
      • Default user permissions
      • Change your password
      • Reset your password
      • Authentication and Authorization
      • Astra DB Plugin for HashiCorp Vault
    • Connecting
      • Connecting private endpoints
        • AWS Private Link
        • Azure Private Link
        • GCP Private Endpoints
        • Connecting custom DNS
      • Connecting Change Data Capture (CDC)
      • Connecting CQL console
      • Connect the Spark Cassandra Connector to Astra
      • Drivers for Astra DB
        • Connecting C++ driver
        • Connecting C# driver
        • Connecting Java driver
        • Connecting Node.js driver
        • Connecting Python driver
        • Drivers retry policies
      • Connecting Legacy drivers
      • Get Secure Connect Bundle
    • Migrating
      • FAQs
      • Preliminary steps
        • Feasibility checks
        • Deployment and infrastructure considerations
        • Create target environment for migration
        • Understand rollback options
      • Phase 1: Deploy ZDM Proxy and connect client applications
        • Set up the ZDM Automation with ZDM Utility
        • Deploy the ZDM Proxy and monitoring
          • Configure Transport Layer Security
        • Connect client applications to ZDM Proxy
        • Manage your ZDM Proxy instances
      • Phase 2: Migrate and validate data
      • Phase 3: Enable asynchronous dual reads
      • Phase 4: Change read routing to Target
      • Phase 5: Connect client applications directly to Target
      • Troubleshooting
        • Troubleshooting tips
        • Troubleshooting scenarios
      • Additional resources
        • Glossary
        • Contribution guidelines
        • Release Notes
    • Managing
      • Managing your organization
        • User permissions
        • Pricing and billing
        • Audit Logs
        • Bring Your Own Key
          • BYOK AWS Astra DB console
          • BYOK GCP Astra DB console
          • BYOK AWS DevOps API
          • BYOK GCP DevOps API
        • Configuring SSO
          • Configure SSO for Microsoft Azure AD
          • Configure SSO for Okta
          • Configure SSO for OneLogin
      • Managing your database
        • Create your database
        • View your databases
        • Database statuses
        • Use DSBulk to load data
        • Use Data Loader in Astra Portal
        • Monitor your databases
        • Export metrics to third party
          • Export metrics via Astra Portal
          • Export metrics via DevOps API
        • Manage access lists
        • Manage multiple keyspaces
        • Using multiple regions
        • Terminate your database
      • Managing with DevOps API
        • Managing database lifecycle
        • Managing roles
        • Managing users
        • Managing tokens
        • Managing BYOK AWS
        • Managing BYOK GCP
        • Managing access list
        • Managing multiple regions
        • Get private endpoints
        • AWS PrivateLink
        • Azure PrivateLink
        • GCP Private Service
    • Astra CLI
    • DataStax Astra Block
      • FAQs
      • About NFTs
      • DataStax Astra Block for Ethereum quickstart
    • Developing with Stargate APIs
      • Develop with REST
      • Develop with Document
      • Develop with GraphQL
        • Develop with GraphQL (CQL-first)
        • Develop with GraphQL (Schema-first)
      • Develop with gRPC
        • gRPC Rust client
        • gRPC Go client
        • gRPC Node.js client
        • gRPC Java client
      • Develop with CQL
      • Tooling Resources
      • Node.js Document API client
      • Node.js REST API client
    • Stargate QuickStarts
      • Document API QuickStart
      • REST API QuickStart
      • GraphQL API CQL-first QuickStart
    • API References
      • DevOps REST API v2
      • Stargate Document API v2
      • Stargate REST API v2
  • DataStax Astra DB Serverless Documentation
  • Managing
  • Managing your organization
  • Configuring SSO

Configuring single sign-on

As the Organization Administrator, setting up single sign-on (SSO) is crucial to managing access to various applications. SSO allows for a seamless sign-on experience, and gives centralized and streamlined access control to security operations teams.

Key functions

DataStax Astra DB integrates with your Security Assertion Markup Language (SAML)-capable identity providers (IdP) to manage the access to your organization and verify user permission.

Ensure you have been granted permission to Astra DB from your IdP before testing the configuration or the test will fail.

The following workflow explains the SSO process:

sso workflow line

Just-in-Time provisioning

JIT provisioning is a method of dynamically creating a user account for a user who does not already have an Astra account, but has been granted access to an Astra organization through an IdP. The first time the user logs on with SSO their account is automatically created and added to the Astra Organization associated with the SSO configuration, mitigating the need to use the manual Astra invitation feature. When first created, JIT provisioned accounts are given a default set of permissions. The organization administrator can adjust these permissions for each user as needed.

JIT provisioning is automatically enabled with any organization with an active SSO configuration.

The user must accept DataStax Terms and Conditions. The user is then redirected to their Astra DB dashboard.

Configuring SSO

To configure single sign-on with your organization, select your identity provider (IdP) to get started:

  • Microsoft Azure AD

  • Okta

  • OneLogin

After you configure and activate the IdP, you can log in and access Astra DB through the IdP or Astra DB log-in screen. If you log in through your IdP, you are authenticated by your IdP and redirected to your Astra DB dashboard with your organization.

SSO Login

There are several ways to access your organization with SSO when the configuration is complete:

  • Starting from Astra

    1. Sign in to your Astra account using your non-SSO Astra credentials. Your email address and IdP login must match.

    2. Switch to your SSO-enabled organization. To log in, Astra redirects you to your IdP.

    3. If prompted, enter your SSO credentials. When your IdP approves your credentials, you are automatically directed to your organization’s dashboard.

  • Starting from your IdP

    1. Log in to your IdP and access the dashboard.

    2. Select the Astra application; you are redirected to Astra.

    3. Astra determines if an account already exists with the email address entered for your login.

      1. If so, you are logged into that existing account.

      2. If an existing account is not found, a new account is created automatically.

    4. If this is your first time accessing the Astra application with this account, a dialog box appears prompting you to accept the DataStax Terms and Conditions. Review the information and click Accept.

DS TC

Your organization dashboard appears on the next page.

Different vendors use different terminology with various fields with SSO. Use the following table with your reference.

DataStax/ Azure AD Okta OneLogin

SAML Assertion Consumer Service (ACS) URL

Reply URL

Single sign on URL

ACS (Consumer URL)

Audience URI

Identifier (Entity ID)

Audience URI (SP Entity ID)

Audience

Relay State

Relay State

Default Relay State

Relay State

Sign on URL

Login URL

Identity Provider Single Sign-On URL

SAML 2.0 Endpoint

Identity Provider Issuer

Azure AD Identifier

Identity Provider Issuer

Issuer URL

x.509 Certificate

SAML Signing Certificate

x.509 Certificate

x.509 Certificate

BYOK GCP DevOps API Configure SSO for Microsoft Azure AD

General Inquiries: +1 (650) 389-6000 info@datastax.com

© DataStax | Privacy policy | Terms of use

DataStax, Titan, and TitanDB are registered trademarks of DataStax, Inc. and its subsidiaries in the United States and/or other countries.

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Kubernetes is the registered trademark of the Linux Foundation.

landing_page landingpage