Azure AD Self Serve SSO Steps - OIDC

The following steps have to be executed in the SingleStore Helios Portal and the Azure AD Admin portal sequentially.

In the SingleStore Helios Portal

  1. Open the ORG:your-org menu on the top and go to Organization Details.

  2. Select the Authentication tab.

  3. Use the Add Identity Provider list on the right and select OpenID Connect 1.0 identity provider connection.

  4. Add a Connection Name, for example, Azure-OIDC.

In the Azure AD Admin Portal

  1. In the Azure AD tenant, select App registrations in the left pane.

  2. Select  +New registration on the top left.

  3. For * Name use SingleStore.

  4. Select which accounts can access the API, typically this is Accounts in this organizational directory only (the default).

  5. Under Redirect URI (optional):

    • Select a platform: Web

    • For the URL, from the SingleStore Helios Portal, copy Login Redirect URLs to Login Redirect URLs.

In the SingleStore Helios Portal

  1. Set up the issuer for Azure AD, under (2) Client Details / Client ID copy Application (client) ID from under Register in the Azure AD portal.

  2. Fill in the Client Details /Issuer by manually joining together the following three substrings into a single string:

    • https://login.microsoftonline.com/

    • The directory (tenant) ID, a uuid.

    • /v2.0.

  3. Adjust the Scopes under Connection Settings. The desired scopes are: "openid", "email" and "profile".  Adjust scopes to match these.

  4. Add your domain , verify it and select Activate.

In the Azure AD Admin Portal

  1. A client secret is required. These client secrets always expire.

  2. On the main page, under Client credentials, select Add a certificate or secret.

  3. Select +New client secret to add a new secret.

  4. Fill in the description and set an expiration date. Note, that authorization will break on that date.

In the SingleStore Helios Portal

  1. On the main Authentication screen, select Update Connection in the Actions column and copy the secret from the Azure AD portal.

  2. Select Save to confirm the changes.

Last modified: November 26, 2024

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined
  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined
  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
    cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
    --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
    --bundle undefined \
    --new-bundle-format -
    Verified OK