SingleStore’s Identity Platform


Currently, this is a public preview feature.

SingleStore Helios’s identity platform is an authentication proxy. When using the SingleStore Helios Portal or any other SingleStore Helios site, users log in to the SingleStore Helios identity platform. The Portal is an authentication client to the identity platform. It is an OpenID Connect (OIDC) client. The identity platform is actually an identity proxy: while the Portal uses OIDC to authenticate, the login process is to authenticate with an external Identity Provider (IdP) using either OpenID Connect (OIDC) or Security Assertion Markup Language (SAML).

The flow is:

  1. The Portal redirects to the authentication endpoint.

  2. This creates a request and redirects to a login page.

  3. On the login page, after you enter your email address, if SSO is required for your email domain, you will be redirected to your IdP. If SSO is allowed but not required, you can choose to log in with SSO..

  4. When that login process completes, an authentication code is generated and given to the Portal.

  5. The Portal exchanges that code for access and refresh tokens.

When the access token expires (within five minutes or less) the Portal asks for a fresh token. If the proxied connection is OIDC, the SingleStore identity platform checks the expiration time of the access token it holds for the external IdP and if it has or is about to expire then it refreshes that access token before refreshing the Portal’s access token.

For IdP-initiated login (OIDC only), the login page step is skipped.


Logging in with SSO does not currently grant membership in your SingleStore Helios organization. It is just authentication. Organization membership/RBAC based on IdP group membership is not supported. Users must still be added to your organization with invitations.

When SSO with SingleStore Helios is Already Available

If you already have an SSO connection set up because you followed the old instructions and opened a ticket, that SSO connection will continue to work at least for a while. You should migrate to the new self-service SSO setup.

To migrate, do a new SSO setup. Test it without putting it live. Once you have it tested, then put it live and open a support ticket to take down the old SSO connection. It’s okay for there to be some overlap between the old connection and the new connection.

IdP-initiated login (OIDC only) will always use the new self-service SSO connection.

Last modified: March 7, 2024

Was this article helpful?