Configuring single sign-on for OneLogin

As the Organization Administrator, setting up single sign-on (SSO) is crucial to managing access to various applications. SSO allows for a seamless sign-on experience, and gives centralized and streamlined access control to security operations teams.


To manage SSO settings, you must have the Read External Auth and the Write External Auth permissions. These permissions are included in the Organization Administrator role.

Ensure you map the following attributes in your IdP. They are required for Astra to identify your account and JIT provision new accounts.

  • email - Must be in email format and map to an attribute which matches the users Astra account ID (or desired account ID for JIT provisioning)

  • firstName - The user’s first name/given name

  • lastName - The user’s last name/surname

Okta attributes1

Adding identity provider

  1. From any page from Astra DB, select the Organizations dropdown. Select the organization for which you want to configure your SSO.

  2. Go to the dashboard and select Organization Settings. Select Security Settings.

    If this is your first time configuring SSO, no identity providers (IdP) will be listed for your organization.

  3. Select Add Identity Provider.

  4. Select OneLogin as your IdP.

    The following fields display information you need to provide to your IdP:

    • ACS (Consumer) URL, also called "Single Sign On URL"

    • Audience, also called "SP Entity ID"

    • Relay State, also called "Default Relay State"

    onelogin linkIdP
  5. Enter the provided ACS (Consumer) URL, Audience, and Relay State to your OneLogin account. For more, see the OneLogin Catalog.

  6. From OneLogin, get your SAML 2.0 Endpoint, Issuer URL, and x.509 Certificate. For more, see the OneLogin Catalog.

  7. Enter your Description, SAML 2.0 Endpoint, Issuer URL, and x.509 Certificate for OneLogin into your Astra DB SSO configuration.

    onelogin obtain a
  8. After confirming all the information is correct, scroll down and select Test Configuration.

    A new tab opens in the browser window housing your IdP log-in screens and flow. When you complete the login, the window closes.

    The Test Configuration is deemed successful when a confirmation icon appears beside the Test Configuration button.

    If the test was unsuccessful, review the SSO settings in Astra DB and your IdP console. If still unsuccessful, contact DataStax support.

  9. Select Activate SSO when your test configuration is successful. A message appears confirming the SSO is now active for your selected organization.

Disabling your configuration

You can suspend any active configuration from your organization. The Disable option deactivates your active configuration.

If you disable your SSO configuration, users can access your organization without SSO authentication.

  1. Select the ellipsis (…​) next to your active configuration. Select Disable.

  2. A dialog box appears to confirm you want to disable this configuration. Type "disable" and select Disable SSO Configuration.

sso disableactive

Using identity provider drafts

To complete your configuration later, select Esc in your configuration to save the current information as a draft. All drafts and the active configuration appear on the table of the Single Sign-on (SSO) page.

sso drafts
  1. Select the ellipsis (…).

  2. Select either Edit or Delete:

    • Edit returns to the Configure SSO page to continue editing the draft and complete the SSO configuration.

    • Delete removes the row from the table and is permanent. This choice displays a dialog box. To delete the draft, type "delete" and select Delete SSO Authentication.

An organization can have have multiple configuration drafts, but only one active configuration.

sso draftactive
  1. Open your organization dashboard and go to Organization Settings.

  2. Select Security Settings. Scroll down to the Single Sign-on (SSO) box and click Add Identity Provider. Successfully complete the IdP configuration.

  3. Go to Advanced Settings and click Download Astra Logo.

You can only add the logo during configuration. When you successfully complete configuration, you are not able to return here to the logo.

download astralogo
  1. Open Okta and select Applications from the left navigation.

  2. Click the sprocket image. The Edit Logo dialog box appears.

  3. Click Browse…​ and select the Astra logo you downloaded.

  4. Click Close.

What’s next?

As needed, Update user permissions from the default JIT provision role.