Configuring single sign-on

As the Organization Administrator, setting up single sign-on (SSO) is crucial to managing access to various applications. SSO allows for a seamless sign-on experience, and gives centralized and streamlined access control to security operations teams.

Key functions

DataStax Astra DB integrates with your Security Assertion Markup Language (SAML)-capable identity providers (IdP) to manage the access to your organization and verify user permission.

Ensure you have been granted permission to Astra DB from your IdP before testing the configuration or the test will fail.

The following workflow explains the SSO process:

sso workflow line

Just-in-Time provisioning

JIT provisioning is a method of dynamically creating a user account for a user who does not already have an Astra account, but has been granted access to an Astra organization through an IdP. The first time the user logs on with SSO their account is automatically created and added to the Astra Organization associated with the SSO configuration, mitigating the need to use the manual Astra invitation feature. When first created, JIT provisioned accounts are given a default set of permissions. The organization administrator can adjust these permissions for each user as needed.

JIT provisioning is automatically enabled with any organization with an active SSO configuration.

The user must accept DataStax Terms and Conditions. The user is then redirected to their Astra DB dashboard.

Configuring SSO

To configure single sign-on with your organization, select your identity provider (IdP) to get started:

After you configure and activate the IdP, you can log in and access Astra DB through the IdP or Astra DB log-in screen. If you log in through your IdP, you are authenticated by your IdP and redirected to your Astra DB dashboard with your organization.

SSO Login

There are several ways to access your organization with SSO when the configuration is complete:

  • Starting from Astra

    1. Sign in to your Astra account using your non-SSO Astra credentials. Your email address and IdP login must match.

    2. Switch to your SSO-enabled organization. To log in, Astra redirects you to your IdP.

    3. If prompted, enter your SSO credentials. When your IdP approves your credentials, you are automatically directed to the your organization’s dashboard.

  • Starting from your IdP

    1. Log in to your IdP and access the dashboard.

    2. Select the Astra application; you are redirected to Astra.

    3. Astra determines if an account already exists with the email address entered for your login.

      1. If so, you are logged into that existing account.

      2. If an existing account is not found, a new account is created automatically.

    4. If this is your first time accessing the Astra application with this account, a dialog box appears prompting you to accept the DataStax Terms and Conditions. Review the information and click Accept.


Your organization dashboard appears on the next page.

Different vendors use different terminology with various fields with SSO. Use the following table with your reference.

DataStax/ Azure AD Okta OneLogin

SAML Assertion Consumer Service (ACS) URL

Reply URL

Single sign on URL

ACS (Consumer URL)

Audience URI

Identifier (Entity ID)

Audience URI (SP Entity ID)


Relay State

Relay State

Default Relay State

Relay State

Sign on URL

Login URL

Identity Provider Single Sign-On URL

SAML 2.0 Endpoint

Identity Provider Issuer

Azure AD Identifier

Identity Provider Issuer

Issuer URL

x.509 Certificate

SAML Signing Certificate

x.509 Certificate

x.509 Certificate