Okta Self Serve SSO Steps - SAML

The following steps have to be executed in the SingleStore Helios Portal and the Okta Admin portal sequentially.

In the SingleStore Helios Portal

  1. Open the ORG:your-org menu in the top right corner and go to Organization Details.

  2. Select the Authentication tab.

  3. Use the Add Identity Provider list on the right to add a SAML 2.0 identity provider connection.

  4. Add a Connection Name, for example, Okta SAML.

  5. Copy SingleStore’s Service Provider Configuration and store it in a file with a .xml extension

In the Okta Admin Portal

  1. In the Okta Admin console go to Admin mode and select Applications from the left panel.

  2. Select Applications/Applications.

  3. In the Browse App Catalog, select Create New App or Create App Integration.

  4. Choose SAML 2.0.

  5. Fill in the details:

    • App integration name as SingleStore or  SingleStore SAML.

    • Select Logo and upload a SingleStore logo.

  6. Select Do not display application icon to users as IdP-initiated login is not yet supported for SAML.

  7. Click the Next button to switch to the Configuration SAML tab.

  8. From the SingleStore Helios Portal copy:

    • SingleStore's Login and Logout URL and paste to Single sign-on URL in Okta;

    • SingleStore's Entity ID and paste to Audience URI (SP Entity ID) in Okta;

    • Select the checkbox Use this for Recipient URL and Destination URL under the Single sign-on URL field;

  9. Set Name ID format to Persistent

  10. Under Attribute Statements (optional) add the following attributes:

    Name

    Name Format

    Value

    email

    Basic

    user.email

    lastName

    Basic

    user.lastName

    firstName

    Basic

    user.FirstName

  11. Select Next.

  12. Select Finish on the next screen, ignore the optional questions and checkboxes.

  13. On the next screen, in the Sign On tab, scroll to the SAML Signing Certificates section and click on Actions next to the Active status, select View IdP metadata from the dropdown menu.

  14. Copy the metadata URL and save an XML file on your local computer.

In the SingleStore Helios Portal

  1. Scroll to the second section (Identity provider XML) and download the XML file from the step above.

  2. Set up the Domain in the third step. Click on Add Domain > Enter valid domain and set up Domain Attributes if it is required. Click on the Actions button and verify your domain.

  3. Under Map User Attributes, fill in the details as per the table in the Okta Admin portal section (email is “email”, lastName is “lastName”, firstName is “firstName”).

  4. Select Save.

  5. Select Update Connection.

  6. Copy SingleStore’s Certificate and save it as a .pem file.

In the Okta Admin Portal

  1. Go to General, and select Edit on SAML Settings.

  2. Select Next to bypass General Settings.

  3. Select Show Advanced Settings.

  4. Select the .pem file with the SingleStore’s certificate that was copied in the SingleStore Helios Portal section and download it to Signature Certificate.

  5. In Signed Requests, turn on Validate SAML requests with signature certificates.

  6. Select Next.

  7. Select Finish.

If you provided the correct Domain and Certificates, the status of your connection will be changed to Verified/Active (green checkbox).

Last modified: November 26, 2024

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined
  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined
  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
    cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
    --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
    --bundle undefined \
    --new-bundle-format -
    Verified OK