Configure SingleStore SSO using PingOne

Overview

These instructions describe how to configure single sign-on (SSO) for PingOne for use with SingleStore Managed Service. To log into SingleStore, go to http://portal.singlestore.com.

Configure PingOne

  1. Navigate to the PingOne admin console and click PingOne SSO.

    sso-ping-one-01.png
  2. Click Connections.

  3. Next to Applications, click + (plus).

    sso-ping-one-02.png
  4. Click Web App.

    sso-ping-one-03.png
  5. Click the Configure button next to SAML.

    sso-ping-one-04.png
  6. In the Create App Profile panel:

    1. In the Application Name field, enter the name of the application (SingleStore).

    2. In the Description field, enter a description for this application.

    3. In the Icon field, download and apply the following image: singlestore_icon.png

      To save the full-size image, right click on this SingleStore icon, open it in another tab or window, right click on the image in this new tab or window, and save it to your computer.

    4. Click Next.

    sso-ping-one-05.png
  7. In the Configure SAML panel:

    1. Under Provide App Metadata, select Import Metadata.

    2. Edit the following XML and replace both instances of YOUR-DOMAIN-NAME with the domain name you’ll be using to sign on. Then, import this edited XML.

      <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://auth.singlestore.com/auth/realms/memsql">
          <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true"
                  protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
              <KeyDescriptor use="encryption">
                <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
                  <dsig:KeyName>jAJ1Baa7zIHaUFcQVNwdudBZ_Hf7otmPAST_W3lpv7c</dsig:KeyName>
                  <dsig:X509Data>
                    <dsig:X509Certificate>MIICmzCCAYMCBgFlkRngfjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZNZW1TUUwwHhcNMTgwODMxMTc0NjU2WhcNMjgwODMxMTc0ODM2WjARMQ8wDQYDVQQDDAZNZW1TUUwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPi6mTaWOijeYPngHcj4R0ZH83nA8CfF9olTKWXLfzjN/Chno1NXRyD8/ZMMVxQSbfJgphTZ3n9aFgxRwohl110eOxJGE93On2gRRm5Z8uhjLBWFuOj+HrY2EyKVeiUwdEqaVPw3usIywy7kokJb5EDrPFczgfB0exDD65MrCR36G4EDIkuI8lyCMaEgkkRXDJdufPPHtyTq4dfsjZ2EqHij4luEecTeHybdyUMOzVs3TUHDJsVZhMTEsPquIUQNU4yIAmyT1HpZ/DtgH5KJ6WLm5cUaQHTaN8X6ST3hnMvVuvNLUW73oZekQ7ua1V03oihk0YoAvZ7b/ABpBZz2gpAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEQkjLX15+H4ORz+jblCZHAwzWy60sGShIDWAGoVGS5VvvrXVo2+IhhElgVwvZDXhg9faUItIvEDO2ptcvEJqLwy/xfqxS0DNx/5cntiw88zlk3NkR0cjUubLJ7ff9AQUcMQNrB9n6uiayRIt8fc+crmTR5j+7uBAWquArW5ZLK7eE2wFAyNA0qSidD8VzjpFU4WMDRCyQwNpuZEBSAaQ3UfKUSC+zbroHyGC9QPEsGNTnUnY/eZ2lVK8ZaARmpccsBT8C7Mqt3t35igzlWsfIR+/dzDKGurFk/krchQ3U2aL5DX6T+8ZDtvPK67yBGyllQccMfWAIabQSwyKsPXazU=</dsig:X509Certificate>
                  </dsig:X509Data>
                </dsig:KeyInfo>
              </KeyDescriptor>
              <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://auth.singlestore.com/auth/realms/memsql/broker/YOUR-DOMAIN-NAME/endpoint"/>
              <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
              </NameIDFormat>
              <AssertionConsumerService
                      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://auth.singlestore.com/auth/realms/memsql/broker/YOUR-DOMAIN-NAME/endpoint"
                      index="1" isDefault="true" />
          </SPSSODescriptor>
      </EntityDescriptor>
    3. In the ACS URLs field, enter:

      https://auth.singlestore.com/auth/realms/memsql/broker/YOUR-DOMAIN-NAME/endpoint

      Replace YOUR-DOMAIN-NAME with the domain name you’re using for authentication (user@domain).

    4. Select the Sign Assertion and Response radio button.

    5. In the Subject Named Format drop-down, select persistent.

    6. In the Assertion Validity drop-down, select 600 seconds.

    7. In the Target Application URL field, enter https://portal.singlestore.com.

    8. Select the Enforce Signed Authn Request checkbox.

    9. Click Save and Continue.

    sso-ping-one-06.png
  8. In the Map Attributes panel, add the following values.

    When completed, take a screenshot of this page and click the Save and Close button.

    Application Attribute

    Outgoing Value

    saml_subject

    User ID

    id

    User ID

    memberOfGroupNames

    Group IDs

    name.given

    Given Name

    name.family

    Family Name

    email

    Email Address

    sso-ping-one-08.png
  9. In the SingleStore application, in ConfigurationConnection Details →  Download Metadata, click the Download button.

    sso-ping-one-09.png
  10. In the top right corner of the page, move the slider to enable the SingleStore application.

    sso-ping-one-10.png
  11. Provide the following information to SingleStore by opening a support request:

    • The SAML attributes screenshot you saved in Step 8.

    • The metadata file that you downloaded in Step 9.

    • Your identity provider (PingOne).

    • The domain name you’ll be using to sign on with (email@domain).

  12. Choose which users should have access to SingleStore.  Don’t forget this step!

  13. SingleStore will contact you when Managed Service has been configured to use SSO for your organization’s PingOne users.

  14. Log in by going to https://portal.singlestore.com, click Single Sign-On, enter your email address, and click Continue.