Sign inTry Free

Protocols

On this page

OIDC 1.0 vs SAML 2.0

OpenID Connect (OIDC) and SAML are quite different in how they operate. Both are supported. Each has advantages. If only one is supported by your IdP, then use that one.

With SAML, there is no direct connection between the SingleStore Helios identity system and the IdP. All communication takes place using browser redirects. If the IdP is behind a firewall and inaccessible to SingleStore Helios’s identity platform, then SAML is the only choice.

SAML configuration is done by exchanging XML configuration blobs and configuring, on both sides, the attributes used for first name, last name, and email address. With SAML, there is fine-grain control over what information is sent from the IdP to the Service Provider (SP). This allows sending group membership and any other arbitrary data that is desired. At the current time, SingleStore Helios does not use anything besides first name, last name, and email address.

ODIC is generally easier to set up, but the instructions for any given IdP platform (Okta, Ping, etc.) are not obvious as the set of scopes is not well standardized. SingleStore Helios’s identity system supports IdP-initiated authentication with ODIC. SingleStore Helios Portal authentication sessions will last only as long as the access token granted by the customer IdP lasts or can be refreshed. This allows the IdP to force all sessions to close by invalidating the refresh token which may happen, for example, because an administrator removed the corresponding user. With the refresh token invalidated, the access token will expire and the session will close. SingleStore Helios does not limit the session length – that is up to the customer IdP’s policies.

Currently, IdP-initiated login and logout with SAML are not supported.

Settings Available

The following settings are available in:

General (not specific to OIDC or SAML)

  • JWT Token lifetime for engine access - This is for tokens generated via a browser login for accessing the SingleStore Helios database.

  • A list of email addresses of te format, username@domain or just username, that can bypass the per-domain SSO required setting and log in through the keycloak.

OIDC

  • Allowed Clock drift – useful when the IdP and SingleStore disagree about the current time.

SAML

  • Portal access (minutes) – determine how long should the tokens generated for the SingleStore Helios Portal last. You will have to re-authenticate when this runs out so a value like 1440 minutes (one day) is reasonable.

Last modified: November 7, 2023

Was this article helpful?

On this page

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK