IdP Configuration - Azure

SingleStore SCIM supports Azure with the SCIM 2.0 protocol and Microsoft Entra ID (Azure Active Directory).

Prerequisites

  • RBAC authorization for the Organization Team feature.

  • RBAC user sync for the Engine RBAC at SingleStore database level.

SCIM Provisioning in the SingleStore Helios Portal

Follow the instructions specified in SCIM User Provisioning.

SingleStore recommends that you check out the logAllRequests attribute for SCIM Connection to facilitate debugging.

SCIM Provisioning in the Azure Portal

The following steps should be used to set up SCIM in the Azure portal. Refer Azure documentation for additional information.

  1. If you do not have an existing enterprise application, then create it by clicking on  Create your own application, Non-Gallery.

  2. Use the API endpoint and secret from the SingleStore portal SCIM connection in the Provisioning section of the application. (Note: You MUST add '/?aadOptscim062020' to the end of the URL.)

    Refer: Known issues with System for Cross-Domain Identity Management (SCIM) 2.0 protocol compliance - Microsoft Entra ID.

    Click on Test Connection.

    SingleStore recommends you check out the Send an email notification when a failure occurs option. Once you save, the grayed out buttons should become normal. If not, refresh the page.

  3. Set up the SCIM attribute mapping:

    SCIMUser

    A primary email is required for SingleStore to match users. You must ensure the primary email is valid and current.  It is strongly recommended to map userPrincipleName to email. However, if userPrincipleName` does not contain the primary email, then enter the correct primary email manually.

    Remove all unsupported attributes in the SCIM User mapping as shown in the screenshot below:

    SCIM Group:

    Leave as default.

  4. Test with Provision on demand.

    a. Add users/groups to the provision.

    b. Test sync a user to SingleStore. If adding a user syncs successfully, then the user should appear in the SingleStore Helios portal Users tab.

    c. Test other actions, such as delete.

  5. If all the above tests are successful, you can turn on the provisioning. Use the provision log to check in case there is any problem.

Remarks

  • If you want to create a new SCIM connection, wherein the SingleStore side does not have any details yet but Azure may have some of the previous provisioning information, this could cause an error.  In such a case, use Delete configuration in the Overview (preview) page to have a clean SCIM provision on the Azure side.

  • If the Azure provisioning system tries to sync with non-exists attributes then remove and again re-enter the Attributes mapping.

Last modified: March 12, 2025

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined
  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined
  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
    cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
    --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
    --bundle undefined \
    --new-bundle-format -
    Verified OK