Corporate SSO with TileDB Cloud SaaS
When using the hosted TileDB Cloud service, you can set up corporate SSO to TileDB Cloud. Users associated with the domain name you specify (a domain that you control) will be able to log in to the service without having to separately register or create a new password.
TileDB Cloud connects to your login provider with OpenID Connect, which is supported by most SSO systems, including Google Cloud, Okta, Microsoft, PingIdentity, and more.
To enable TileDB Cloud login, you will need to create an OpenID Connect integration with your SSO provider and configure it to accept requests from TileDB Cloud. These are the basic steps across all authentication providers; the walkthroughs below are just step-by-step guides of the same process for each identity provider.
- 1.Create an OpenID Connect integration.
- 2.Within your OpenID Connect integration:
- Add the redirect URL (sometimes called a callback URL) of
https://cloud.tiledb.com/auth/sso/callback/perdomain. This allows login details for this integration to be sent to TileDB.
- Enable required scopes (if needed):
openid(should already be enabled)
profile(allows TileDB Cloud to see the user’s name and basic information)
- 3.Provide us with the following information from your OpenID Connect integration, along with the domain name you wish to enable corporate SSO for:
- OpenID Client ID
- OpenID Client Secret
- OpenID Issuer URL
From your PingIdentity administration dashboard, enter the appropriate environment and click Connections → Applications in the sidebar.
The PingIdentity dashboard with the “Connections” menu in the sidebar (the thing that looks like an S) and the Applications sub-entry highlighted and opened.
Click the + icon to add a new application. This will open a dialog box for you to set up the OpenID Connect connection for TileDB Cloud to use. Give the application a name (“TileDB Cloud”) and select OIDC Web App from the options at the bottom of the page. Click Save.
The “Create Application” dialog, with the name TileDB Cloud and the “OIDC Web App” type.
After creating the application, you should now be on the configuration panel for your new TileDB Cloud connection.
The base configuration panel for the brand-new TileDB Cloud application.
Click the Protocol: OpenID Connect button to open the OpenID Connect configuration dialog. Add the Redirect URL
https://cloud.tiledb.com/auth/sso/callback/perdomain, leave everything else unchanged, and click Save. This will allow TileDB Cloud to process logins.
Click Overview to return to the main tab, and click the Resource Access: 1 Scope button. In the dialog that pops up, add the email and profile scopes to the application. Click Save here as well.
The “profile” and “email” scopes added to the TileDB application.
Now the entire setup on the PingIdentity side is complete! Use the Access tab to configure who from your organization has access to TileDB Cloud (if desired) and enable the application.
Don’t close up PingIdentity yet, though; we still need the Client ID and Client Secret for TileDB Cloud.
Return to the Configuration tab of the TileDB Cloud application in PingIdentity and expand the General zippy. (You may need to scroll down.)
The TileDB Cloud application configuration page, with the “General” zippy expanded.
TileDB Cloud needs three pieces of information from this page to successfully connect to PingIdentity:
- The Issuer, which is a URL that will look like
https://auth.pingone.com/[some-uuid-goes-here]/as. It does not have a
/on the end.
- The Client ID, which identifies TileDB to PingIdentity. (For PingIdentity, this happens to be a UUID.)
- the Client Secret, which allows TileDB to access PingIdentity resources (This is a random alphanumeric string.)
Copy all three of these and provide them to TileDB staff, along with the domain you wish to enable SSO on. Once TileDB’s side of the setup is complete, you should be ready to log in with SSO accounts from your chosen domain.
Follow the regular Okta SSO setup steps, but use the redirect URL
https://cloud.tiledb.com/auth/sso/callback/perdomaininstead of a custom redirect URL for TileDB Cloud Enterprise. The Issuer will be your Okta base URL, without a
/on the end (for example,
https://biosyn.okta.com). The Client ID and Client Secret are the same as those from the Okta SSO guide.