Configure single sign-on

Single sign-on (SSO) enables a seamless sign-on experience for users and a centralized access control method for security operations teams. SSO is configured at the organization level in Astra.

DataStax supports any SAML-compatible identity provider (IdP), such as:

  • Microsoft Entra ID (formerly Microsoft Azure AD)

  • Okta

  • OneLogin

  • Google

  • Ping Identity

Astra also supports Just-in-Time (JIT) provisioning, which creates a user account for a user who does not already have an Astra account, but was granted access to an Astra organization through an IdP. The first time a user signs in to their account using SSO, their account is automatically created and added to the Astra organization that is associated with the SSO configuration. JIT-provisioned accounts are given a default set of permissions when first created. The organization administrator can adjust these permissions for each user as needed.

Prerequisites

To configure SSO, you must have the following:

  • An Astra organization administrator role with Read External Auth and Write External Auth permissions.

  • An administrator-level account in your IdP.

  • An Astra app integration in your IdP.

Add an identity provider

To configure SSO, you connect your identity provider (IdP) to an Astra organization so they can exchange information, then you test the connection, and then activate SSO. You can optionally add the Astra logo to your IdP to allow users to easily locate Astra. After you configure and activate SSO, users in the organization must use the IdP to sign in to Astra.

  1. Sign in to the Astra Portal.

  2. In the left pane, select the organization for which you want to configure SSO.

    You cannot configure SSO for the default organization.
  3. In the left pane, click Security.

  4. Click Add Identity Provider.

  5. Enter a name for this SSO configuration.

  6. Select the identity provider you want to use. If you do not see your identity provider, select Other. SAML URLs are generated automatically.

  • Azure AD

  • Okta

  • OneLogin

  • Other

  1. Copy and paste the Reply URL, Identifier (Entity ID), and Relay State from Astra to the corresponding fields in your Azure AD application. For more information on configuring SSO, see the Azure AD documentation.

  2. In your Azure AD application, map the following attributes to ensure Astra can identify your account and perform JIT provisioning for new accounts:

    • email: Must be in email format and map to an attribute that matches the user’s Astra account ID or the account ID for JIT provisioning.

    • firstName: The user’s first name/given name.

    • lastName: The user’s last name/surname.

  3. In your Azure AD application, in the Attributes & Claims section, click the required claim, and then click the value for the Unique User Identifier (Name ID).

  4. In your Azure AD application, in the Manage claim section. ensure the Source attribute is in email format and maps to an attribute that matches the user’s Astra account ID or the account ID for JIT provisioning. Ensure the Namespace field is empty.

  5. In your Azure AD application, copy your Login URL, Azure AD Identifier, and SAML Signing Certificate and paste them into the corresponding fields in Astra.

  6. Optional: Under Advanced settings, click Download Astra Logo to download the DataStax Astra logo. Then, add the logo to your IdP.

    You can download the icon only during the initial configuration.
  7. Click Activate SSO.

    If you do not activate the configuration now, it is saved as a draft. You can activate it later by editing the configuration.

  1. Copy and paste the Single sign on URL, Audience URI, and Default Relay State from the DataStax UI to your Okta app. For more information on configuring SSO, see the Okta documentation.

  2. In your Okta application, map the following attributes to ensure Astra can identify your account and perform JIT provisioning for new accounts:

    • email: Must be in email format and map to an attribute that matches the user’s Astra account ID or the account ID for JIT provisioning.

    • subject: Must be in email format with the same address as the email attribute.

    • firstName: The user’s first name/given name.

    • lastName: The user’s last name/surname.

  3. In your Okta application, copy your Identity Provider Single Sign-On URL, Identity Provider Issuer, and x.509 Certificate and paste them into the fields in the DataStax UI.

  4. Optional: Under Advanced settings, click Download Astra Logo to download the DataStax Astra logo. Then, add the logo to your IdP.

    You can download the icon only during the initial configuration.
  5. Click Activate SSO.

    If you do not activate the configuration now, it is saved as a draft. You can activate it later by editing the configuration.

  1. Copy and paste the ACS (Consumer) URL, Audience, and Relay State from the DataStax UI to your OneLogin app. For more information on configuring SSO, see the OneLogin documentation.

  2. In your OneLogin application, map the following attributes to ensure Astra can identify your account and perform JIT provisioning for new accounts:

    • email: Must be in email format and map to an attribute that matches the user’s Astra account ID or the account ID for JIT provisioning.

    • firstName: The user’s first name/given name.

    • lastName: The user’s last name/surname.

  3. In your OneLogin application, copy your SAML 2.0 Endpoint, Issuer URL, and x.509 Certificate and paste them into the fields in the DataStax UI.

  4. Optional: Under Advanced settings, click Download Astra Logo to download the DataStax Astra logo. Then, add the logo to your IdP.

    You can download the icon only during the initial configuration.
  5. Click Activate SSO.

    If you do not activate the configuration now, it is saved as a draft. You can activate it later by editing the configuration.

  1. Copy and paste the Single sign on URL, Audience URI, and Default Relay State from the DataStax UI to your IdP app. For more information on configuring SSO, see the documentation for your IdP.

  2. In your IdP application, map the following attributes to ensure Astra can identify your account and perform JIT provisioning for new accounts:

    • email: Must be in email format and map to an attribute that matches the user’s Astra account ID or the account ID for JIT provisioning.

    • firstName: The user’s first name/given name.

    • lastName: The user’s last name/surname.

  3. In your IdP application, copy your Identity Provider Signle Sign-On URL, Identity Provider Issuer, and x.509 Certificate and paste them into the fields in the DataStax UI.

  4. Optional: Under Advanced settings, click Download Astra Logo to download the DataStax Astra logo. Then, add the logo to your IdP.

    You can download the icon only during the initial configuration.
  5. Click Activate SSO.

    If you do not activate the configuration now, it is saved as a draft. You can activate it later by editing the configuration.

Sign in with SSO

When you sign in with SSO, Astra determines if an account already exists for the email address that is connected to your sign-in credentials. If an account exists, you are signed in to that existing account. If an account does not exist, then a new account is created automatically.

  1. Sign in to your IdP and access the dashboard.

  2. Select the Astra application.

  3. If this is your first time accessing the Astra application with this account, click Accept to accept the DataStax terms and conditions.

Edit an SSO configuration

Follow these steps to edit your configuration or to activate it if you did not complete the activation during the initial configuration.

  1. In the left pane, select the organization for which you want to edit the SSO configuration.

  2. In the left pane, click Security.

  3. Select the three dot menu next to the configuration you want to edit, and then click Edit.

Delete an SSO configuration

If you no longer want members of your organization to authenticate through your IdP to access Astra, you can delete the configuration.

Deleting a configuration is permanent.
  1. In the left pane, select the organization for which you want to delete the SSO configuration.

  2. In the left pane, click Security.

  3. Select the three dot menu next to the configuration you want to delete, and then click Delete.

  4. Type delete to confirm that you want to delete this configuration.

  5. Click Delete SSO Authentication.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com