Sign inTry Free

Creating a New User

On this page

The following steps describe how to create a new user that will be authenticated using SAML 2.0.

  1. Connect to the master aggregator node as a user that has CREATE USER permissions.

  2. Replace the fictional values and execute the following statement to create a new user:

CREATE USER `johndoe`@`localhost` IDENTIFIED WITH authentication_saml;

The important part of this statement is the authentication_saml identification type. This user can no longer authenticate using the default method, but must provide a SAML 2.0 security token to establish their identity.

Authenticating a User

Once a user has been created and identified with the SAML 2.0 authentication method, they can connect to the database using a valid security token.

Connect to an aggregator node by replacing fictional values and executing the following statement:

mysql --host=localhost --port=3306 --user=johndoe --password=PHNhbWxwOlJlc3B...25zZT4= --enable-cleartext-plugin

The most important observation about this connection statement is the value of the password field. You must use a Base64-encoded SAML response as the password for a SAML-enabled user. In the example above, the password value is a truncated sample Base64-encoded SAML response — a real value will be much longer.

In addition to the Base64-encoded password, there are two other important details about this connection statement:

  • The --enable-cleartext-plugin flag ensures that the user’s password is passed to the internal SAML 2.0 authentication module in clear text. This flag is required.

  • More than one SingleStore node may be hosted at any given address, so the correct port must be specified. In this example, port 3306 is specified because it’s the default port for master aggregator nodes.

Last modified: April 26, 2023

Was this article helpful?

On this page

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK