Sign inTry Free

SAML

Most Identity Providers can export an XML configuration block or file. Many can also import an XML configuration block or file.

After choosing to create a SAML Identity Provider Connection in the SingleStore Helios Portal, the XML configuration block for that connection is available for immediate download. This can be downloaded before doing any setup with the Identity Provider. Each Identity Provider Connection will have a different configuration block and you cannot use a block meant for one connection with another.

Attribute mappings must be set up on both sides of the connection. On the SingleStore side, the name of the attributes used for email, firstName, and lastName must be set. On the IdP side, these attributes must be exported.

Generally, to discover the names actually associated with the attributes, most IdPs have a UI function to preview what their assertion statement looks like. The names of the attributes can be found there.

The basic flow of SP-initiated authentication via SAML is a single request and response made with browser redirects. The request that the SP (SingleStore identity platform) makes will be signed. The IdP (customer) may validate the signature or ignore it. The response from the IdP must be signed and the SP (SingleStore identity platform) will validate the signature. Both the IdP and SP are configured with the entity IDs of their counterparts and also URLs.

The SAML-specific configuration items that must be filled in the SingleStore Helios Portal to enable SAML are:

  • IdP XML configuration block generated by the IdP

  • Name of the email attribute in the IdP-provided assertions

  • Name of the first name attribute in the IdP-provided assertions

  • Name of the last name attribute in the IdP-provided assertions

The SAML-specific configuration items that are provided by the SingleStore Helios Portal include:

  • SP XML Configuration block that can be used to configure the IdP

  • The attribute consuming service (ACS) endpoint

  • The SP Entity ID

These configuration items are available as soon as the Identity Provider Connection is created. No parameters from the IdP are required.

In this section

Last modified: November 9, 2023

Was this article helpful?

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK