Identity Provider Connections

An Identity Provider Connection represents a connection between SingleStore Helios’s identity system and your IdP.

An organization may have zero or more IdP Connections. To add an IdP, select (ORG:) > Organization Details > Authentication.

Connections can be active or inactive, and they can be modified, copied, and deleted.

Each connection has an identifier and its own URL paths that need to be configured with the customer’s Identity Provider to make the connection work.

The process of establishing a connection involves exchanging information between the SingleStore Helios’s identity system and your IdP.

Both OIDC 1.0 and SAML 2.0 connections are supported.

Domains

Each IDP connection is also configured with one or more domain names. The domain names control which authentication requests will be routed to the IdP connection.

A domain can either be live or not live, on a per-IdP connection basis. Setting a domain live in one connection will make it not live in all other connections.

A domain can either be verified or not verified. Verification is the process of proving that you (the customer) own (or at least control) the domain. To verify a domain, you must perform either of the following:

  • Create a DNS TXT record with the token as specified in the UI.

  • Create a web page with the token as specified in the UI.

Once a domain is verified, it remains verified.

To semi-automatically verify the sub-domains of a verified domain, select Verify.

An IdP connection cannot be activated without having at least one live and verified domain.

Multiple Organizations

If you have multiple SingleStore organizations that include users with the same email domain, set up SSO with only one of the organizations. It is recommended that all users are allowed to log into the Cloud Portal in the IdP settings. SSO provides only authentication. Authorization is handled separately by permissions via group memberships.

When setting up SSO, ensure that each email domain maps to a single SSO configuration. This mapping enables the SingleStore authentication server to redirect users to the appropriate IdP for authentication.

Settings

One of the per-domain settings controls whether a non-SSO login is permitted when using an email address that matches the domain. If the Require SSO setting is enabled, then one cannot log into SingleStore Helios via the Cloud Portal with an email address that matches the domain.

A list of email addresses of the form username or username@domain can bypass the per-domain Require SSO setting and log in through Keycloak.

A dialog box appears when an identity provider is added, connection settings can be configured.

Last modified: November 26, 2024

Was this article helpful?