Configuring single sign-on for Microsoft Azure AD

As the Organization Administrator, setting up single sign-on (SSO) is crucial to managing access to various applications. SSO allows for a seamless sign-on experience, and gives centralized and streamlined access control to security operations teams.


To manage SSO settings, you must have the Read External Auth and the Write External Auth permissions. These permissions are included in the Organization Administrator role.

Ensure you map the following attributes in your IdP. They are required for Astra to identify your account and JIT provision new accounts.

  • email - Must be in email format and map to an attribute which matches the users Astra account ID (or desired account ID for JIT provisioning)

  • firstName - The user’s first name/given name

  • lastName - The user’s last name/surname

azure attributes

Click the claim, Unique User Identifier, and click its Value.

unique ID

Ensure the Source Attribute is in email format and maps to an attribute which matches the user’s Astra account ID (or desired account ID for JIT provisioning.) The Namespace field must also remain empty.

namespace sourceatt

Set up a Microsoft Azure AD Enterprise Application account to collect and add information for your IdP.

Adding identity provider

  1. From any page from Astra DB, select the Organizations dropdown. Select the organization for which you want to configure your SSO.

  2. Go to the dashboard and select Organization Settings. Select Security Settings.

    If this is your first time configuring SSO, no identity providers (IdP) will be listed for your organization.

  3. Select Add Identity Provider.

  4. The Configure SSO page opens. Select Microsoft Azure AD as your IdP.

    The following fields display information you need to provide your IdP:

    • Reply URL

    • Identifier (Entity ID), also called "SP Identity ID"

    • Relay State, also called "Default Relay State"

    MS Azure linkIdP
  5. Copy and paste the provided Reply URL, Identifier (Entity ID), and Relay State into your Azure AD Enterprise App. For more information on configuring SSO, see the Azure AD documentation.

  6. From Azure AD, get your Login URL, Azure AD Identifier, and SAML Signing Certificate. To learn where to find this information, see the Azure AD documentation.

  7. Enter your Description, Login URL, Azure AD Identifier, and SAML Signing Certificate (Base64) for Azure AD into your Astra DB SSO configuration.

    MS Azure obtainIdP
  8. After confirming all the information is correct, scroll down and select Test Configuration.

    A new tab opens in the browser window housing your IdP log-in screens and flow. When you complete the login, the window closes.

    The Test Configuration is deemed successful when a confirmation icon appears beside the Test Configuration button.

    If the test was unsuccessful, review the SSO settings in Astra DB and your IdP console. If still unsuccessful, contact DataStax Support.

  9. Select Activate SSO when your test configuration is successful. A message appears confirming the SSO is now active for your selected organization.

Disabling your configuration

You can suspend any active configuration from your organization. The Disable option deactivates your active configuration.

If you disable your SSO configuration, users can access your organization without SSO authentication.

  1. Select the ellipsis (…​) next to your active configuration. Select Disable.

  2. A dialog box appears to confirm you want to disable this configuration. Type "disable" and select Disable SSO Configuration.

sso disableactive

Using identity provider drafts

To complete your configuration later, select Esc in your configuration to save the current information as a draft. All drafts and the active configuration appear on the table of the Single Sign-on (SSO) page.

sso drafts
  1. Select the ellipsis (…).

  2. Select either Edit or Delete:

    • Edit returns to the Configure SSO page to continue editing the draft and complete the SSO configuration.

    • Delete removes the row from the table and is permanent. This choice displays a dialog box. To delete the draft, type "delete" and select Delete SSO Authentication.

An organization can have have multiple configuration drafts, but only one active configuration.

sso draftactive

The Astra Icon

Optionally, the administrator can add the DataStax Astra logo to be recognizable to all users. Use the instructions below to download and add the logo.

  1. Open your organization dashboard and go to Organization Settings.

  2. Select Security Settings. Scroll down to the Single Sign-on (SSO) box and click Add Identity Provider. Successfully complete the IdP configuration.

  3. Go to Advanced Settings and click Download Astra Logo.

You can only add the logo during configuration. When you successfully complete configuration, you are not able to return here to the logo.

download astralogo
  1. Open Microsoft Azure AD and select Properties.

  2. There are several options to make changes here; the logo option is available.

  3. Click the blue folder and select the Astra logo.

Azure logo
  1. Click Save.

What’s next?

As needed, Update user permissions from the default JIT provision role.