Configure single sign-on
Single sign-on (SSO) enables a seamless sign-on experience for users and a centralized access control method for security operations teams.
Astra DB supports any SAML-compatible identity provider (IdP):
-
Microsoft Entra ID (formerly Microsoft Azure AD)
-
Okta
-
OneLogin
-
Google Identity Platform
-
Ping Identity
-
Any other SAML-compatible IdP
Astra DB supports Just-in-Time (JIT) provisioning, which creates a user account for a user who doesn’t already have an Astra DB account, but was granted access to an Astra DB organization through an IdP. The first time the user signs in to their account through SSO, their account is automatically created with a set of default permissions and added to the Astra DB organization that is associated with the SSO configuration. The Organization Administrator can adjust each user’s permissions as needed after their account is created.
Removing a user from your IdP does not remove the user from your Astra DB organization, and it does not delete the user’s Astra DB account. You must also remove the user from your organization. |
To configure SSO in Astra DB, you must do the following:
-
Connect your identity provider (IdP) to your Astra DB organization so they can exchange information.
-
Test the connection.
-
Activate SSO.
After you configure and activate SSO, users in the linked Astra DB organization must use your designated IdP to sign in to Astra DB.
Prerequisites
-
In Astra DB, you need the Organization Administrator role or a custom role with Read External Auth and Write External Auth permissions.
-
In your IdP, you need administrator access and an Astra DB app integration.
Add an identity provider
-
In the Astra Portal header, select the organization where you want to configure SSO.
You can’t configure SSO for your default (personal) organization.
-
Click Settings, and then click Security.
-
Click Add Identity Provider.
-
Enter a name for the SSO configuration.
-
Select the identity provider (IdP) you want to use. If your IdP isn’t listed, select Other.
-
In a new browser tab or window, sign in to your IdP administrator account, and then configure the Astra DB SSO integration in your IdP.
-
Azure AD
-
Okta
-
OneLogin
-
Other
-
In Astra DB, copy the Reply URL, Identifier (Entity ID), and Relay State, and then enter these values in the corresponding fields in your Azure AD application. For more information, see the Azure AD documentation.
Astra DB automatically generates SAML URLs.
-
In your Azure AD application, map the following attributes to ensure Astra DB can identify existing user accounts and perform JIT provisioning for new accounts:
-
email: Must be in email format and map to an attribute that matches the user’s Astra DB account ID (email address) or an account ID for JIT provisioning
-
firstName: The user’s first name or given name
-
lastName: The user’s last name or surname
-
-
In your Azure AD application, in the Attributes & Claims section, click the required claim, and then click the value for the Unique User Identifier (Name ID).
-
In your Azure AD application, in the Manage claim section. ensure the Source attribute is in email format and maps to an attribute that matches the user’s Astra DB account ID or the account ID for JIT provisioning. Ensure the Namespace field is empty.
-
In your Azure AD application, copy the Login URL, Azure AD Identifier, and SAML Signing Certificate, and then enter these values in the corresponding fields in Astra DB.
-
In Astra DB, copy the Single sign on URL, Audience URI, and Default Relay State, and then enter these values in the corresponding fields in your Okta app. For more information, see the Okta documentation.
Astra DB automatically generates SAML URLs.
-
In your Okta application, map the following attributes to ensure Astra DB can identify existing user accounts and perform JIT provisioning for new accounts:
-
email: Must be in email format and map to an attribute that matches the user’s Astra DB account ID (email address) or the account ID for JIT provisioning
-
subject: Must be in email format with the same address as the email attribute
-
firstName: The user’s first name or given name
-
lastName: The user’s last name or surname
-
-
In your Okta application, copy the Identity Provider Single Sign-On URL, Identity Provider Issuer, and x.509 Certificate, and then paste these values in the corresponding fields in Astra DB.
-
In Astra DB, copy the ACS (Consumer) URL, Audience, and Relay State, and then enter these values in the corresponding fields in your OneLogin app. For more information, see the OneLogin documentation.
Astra DB automatically generates SAML URLs.
-
In your OneLogin application, map the following attributes to ensure Astra DB can identify existing user accounts and perform JIT provisioning for new accounts:
-
email: Must be in email format and map to an attribute that matches the user’s Astra DB account ID (email address) or the account ID for JIT provisioning
-
firstName: The user’s first name or given name
-
lastName: The user’s last name or surname
-
-
In your OneLogin application, copy the SAML 2.0 Endpoint, Issuer URL, and x.509 Certificate, and then enter these values in the corresponding fields in Astra DB.
-
In Astra DB, copy the Single sign on URL, Audience URI, and Default Relay State, and then enter these values in the corresponding fields in your IdP application. For more information, see your IdP’s documentation.
Astra DB automatically generates SAML URLs.
-
In your IdP application, map the following attributes to ensure Astra DB can identify existing user accounts and perform JIT provisioning for new accounts:
-
email: Must be in email format and map to an attribute that matches the user’s Astra DB account ID (email address) or the account ID for JIT provisioning
-
firstName: The user’s first name or given name
-
lastName: The user’s last name or surname
-
-
In your IdP application, copy the Identity Provider Signle Sign-On URL, Identity Provider Issuer, and x.509 Certificate, and then enter these values in the corresponding fields in Astra DB.
-
-
Optional: Download the Astra DB logo for your IdP dashboard:
-
In Advanced settings, click Download Astra Logo, and then add the logo to your IdP. This helps users to easily locate Astra DB in your IdP.
You can download the icon only during initial configuration.
-
-
Click Activate SSO.
If you do not activate the configuration now, it is saved as a draft. You can activate it later by editing the configuration.
Sign in with SSO
-
Sign in to your SAML IdP, and then select the Astra application.
-
If this is your first time accessing the Astra application with this account, you must review the DataStax terms and conditions.
Astra DB determines if an account already exists for the email address associated with your sign-in credentials. If an account exists, you are signed in to your existing account. If an account does not exist, then Astra DB creates a new account automatically.
Edit an SSO configuration
You can edit an active SSO configuration or activate a draft configuration:
-
In the Astra Portal navigation menu, click Settings, and then click Security.
-
Locate the SSO configuration you need to edit, click
More, and then select Edit. -
Make the necessary changes, and then save or activate the configuration.
Delete an SSO configuration
If you no longer want members of your organization to authenticate through your IdP to access Astra DB Serverless, you can delete the configuration.
Deleting an SSO configuration is permanent and irreversible. Deleting an SSO configuration does not remove users from your Astra DB organization or delete their Astra DB accounts. Users can still access your organization through other sign in options (GitHub, Google, or username and password), if they have access to the email address associated with their account. |
-
In the Astra Portal navigation menu, click Settings, and then click Security.
-
Locate the SSO configuration you want to delete, click
More, and then select Delete. -
To confirm the deletion, enter
delete
, and then click Delete SSO Authentication.