Configuring single sign-on for Okta

As the Organization Administrator, setting up single sign-on (SSO) is crucial to managing access to various applications. SSO allows for a seamless sign-on experience, and gives centralized and streamlined access control to security operations teams.


To manage SSO settings, you must have the Read External Auth and the Write External Auth permissions. These permissions are included in the Organization Administrator role.

Ensure you map the following attributes in your IdP. They are required for Astra to identify your account and JIT provision new accounts.

  • email - Must be in email format and map to an attribute which matches the users Astra account ID (or desired account ID for JIT provisioning)

  • firstName - The user’s first name/given name

  • lastName - The user’s last name/surname

Okta attributes1

Adding identity provider

  1. From any page from Astra DB, select the Organizations dropdown. Select the organization for which you want to configure your SSO.

  2. Go to the dashboard and select Organization Settings. Select Security Settings.

    If this is your first time configuring SSO, no identity providers (IdP) will be listed for your organization.

  3. Select Add Identity Provider.

  4. Select Okta as your IdP.

    The following fields display information you need to provide your IdP:

    • Single sign on URL

    • Audience URI, also called "SP Entity ID"

    • Default Relay State

    okta linkIdP
  5. Enter the provided Single sign on URL, Audience URI, and Default Relay State to your Okta account. For more, see the Okta Documentation.

  6. From Okta, get your Identity Provider Single Sign-On URL, Identity Provider Issuer, and x.509 Certificate. For more, see the Okta Documentation.

  7. Enter your Description, Identity Provider Single Sign-On URL, Identity Provider Issuer, and x.509 Certificate for Okta into your Astra DB SSO configuration.

    obtain okta
  8. After confirming all the information is correct, scroll down and select Test Configuration.

    A new tab opens in the browser window housing your IdP log-in screens and flow. When you complete the login, the window closes.

    The Test Configuration is deemed successful when a confirmation icon appears beside the Test Configuration button.

    If the test was unsuccessful, review the SSO settings in Astra DB and your IdP console. If still unsuccessful, contact DataStax support.

  9. Select Activate SSO when your test configuration is successful. A message appears confirming the SSO is now active for your selected organization.

Disabling your configuration

You can suspend any active configuration from your organization. The Disable option deactivates your active configuration.

If you disable your SSO configuration, users can access your organization without SSO authentication.

  1. Select the ellipsis (…​) next to your active configuration. Select Disable.

  2. A dialog box appears to confirm you want to disable this configuration. Type "disable" and select Disable SSO Configuration.

sso disableactive

Using identity provider drafts

To complete your configuration later, select Esc in your configuration to save the current information as a draft. All drafts and the active configuration appear on the table of the Single Sign-on (SSO) page.

sso drafts
  1. Select the ellipsis (…).

  2. Select either Edit or Delete:

    • Edit returns to the Configure SSO page to continue editing the draft and complete the SSO configuration.

    • Delete removes the row from the table and is permanent. This choice displays a dialog box. To delete the draft, type "delete" and select Delete SSO Authentication.

An organization can have have multiple configuration drafts, but only one active configuration.

sso draftactive

The Astra Icon

Optionally, the administrator can add the DataStax Astra logo to be recognizable to all users. Follow the instructions below to download and add the logo.

  1. Open your organization dashboard and go to Organization Settings.

  2. Select Security Settings. Scroll down to the Single Sign-on (SSO) box and click Add Identity Provider. Successfully complete the IdP configuration.

  3. Go to Advanced Settings and click Download Astra Logo.

You can only add the logo during configuration. When you successfully complete configuration, you are not able to return here to the logo.

download astralogo
  1. Open Okta and select Applications from the left navigation.

  2. Click the sprocket image. The Edit Logo dialog box appears.

  3. Click Browse…​ and select the Astra logo you downloaded.

  4. Click Close.

Azure logo
  1. Click Save.

What’s next?

As needed, Update user permissions from the default JIT provision role.