Identity Provider Connections

Domains

Each IDP connection is also configured with one or more domain names. The domain names control which authentication requests will be routed to the IdP connection.

A domain can either be live or not live, on a per-IdP connection basis. Setting a domain live in one connection will make it not live in all other connections.

A domain can either be verified or not verified. Verification is the process of proving that you (the customer) own (or at least control) the domain. To verify a domain, you must perform either of the following:

Create a DNS TXT record with the token as specified in the UI.
Create a web page with the token as specified in the UI.

Once a domain is verified, it remains verified.

To semi-automatically verify the sub-domains of a verified domain, select Verify.

An IdP connection cannot be activated without having at least one live and verified domain.

Multiple Organizations

If you have multiple SingleStore organizations that include users with the same email domain, set up SSO with only one of the organizations. It is recommended that all users are allowed to log into the Cloud Portal in the IdP settings. SSO provides only authentication. Authorization is handled separately by permissions via group memberships.

When setting up SSO, ensure that each email domain maps to a single SSO configuration. This mapping enables the SingleStore authentication server to redirect users to the appropriate IdP for authentication.

Settings

One of the per-domain settings controls whether a non-SSO login is permitted when using an email address that matches the domain. If the Require SSO setting is enabled, then one cannot log into SingleStore Helios via the Cloud Portal with an email address that matches the domain.

A list of email addresses of the form username or username@domain can bypass the per-domain Require SSO setting and log in through Keycloak.