Sign inTry Free

SingleStore’s Identity Platform

On this page

Note

Currently, this is a public preview feature.

SingleStore Helios’s identity platform is an authentication proxy. When using the SingleStore Helios Portal or any other SingleStore Helios site, users log in to the SingleStore Helios identity platform. The Portal is an authentication client to the identity platform. It is an OpenID Connect (OIDC) client. The identity platform is actually an identity proxy: while the Portal uses OIDC to authenticate, the login process is to authenticate with an external Identity Provider (IdP) using either OpenID Connect (OIDC) or Security Assertion Markup Language (SAML).

The flow is:

  1. The Portal redirects to the authentication endpoint.

  2. This creates a request and redirects to a login page.

  3. On the login page, after you enter your email address, if SSO is required for your email domain, you will be redirected to your IdP. If SSO is allowed but not required, you can choose to log in with SSO..

  4. When that login process completes, an authentication code is generated and given to the Portal.

  5. The Portal exchanges that code for access and refresh tokens.

When the access token expires (within five minutes or less) the Portal asks for a fresh token. If the proxied connection is OIDC, the SingleStore identity platform checks the expiration time of the access token it holds for the external IdP and if it has or is about to expire then it refreshes that access token before refreshing the Portal’s access token.

For IdP-initiated login (OIDC only), the login page step is skipped.

Note

Logging in with SSO does not currently grant membership in your SingleStore Helios organization. It is just authentication. Organization membership/RBAC based on IdP group membership is not supported. Users must still be added to your organization with invitations.

When SSO with SingleStore Helios is Already Available

If you already have an SSO connection set up because you followed the old instructions and opened a ticket, that SSO connection will continue to work at least for a while. You should migrate to the new self-service SSO setup.

To migrate, do a new SSO setup. Test it without putting it live. Once you have it tested, then put it live and open a support ticket to take down the old SSO connection. It’s okay for there to be some overlap between the old connection and the new connection.

IdP-initiated login (OIDC only) will always use the new self-service SSO connection.

Last modified: March 7, 2024

Was this article helpful?

On this page

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK