Corporate SSO with TileDB Cloud SaaS

When using the hosted TileDB Cloud service, you can set up corporate SSO to TileDB Cloud. Users associated with the domain name you specify (a domain that you control) will be able to log in to the service without having to separately register or create a new password.
TileDB Cloud connects to your login provider with OpenID Connect, which is supported by most SSO systems, including Google Cloud, Okta, Microsoft, PingIdentity, and more.


To enable TileDB Cloud login, you will need to create an OpenID Connect integration with your SSO provider and configure it to accept requests from TileDB Cloud. These are the basic steps across all authentication providers; the walkthroughs below are just step-by-step guides of the same process for each identity provider.
  1. 1.
    Create an OpenID Connect integration.
  2. 2.
    Within your OpenID Connect integration:
    • Add the redirect URL (sometimes called a callback URL) of This allows login details for this integration to be sent to TileDB.
    • Enable required scopes (if needed):
      • openid (should already be enabled)
      • email (allows TileDB Cloud to access and verify the user’s email address)
      • profile (allows TileDB Cloud to see the user’s name and basic information)
  3. 3.
    Provide us with the following information from your OpenID Connect integration, along with the domain name you wish to enable corporate SSO for:
    • OpenID Client ID
    • OpenID Client Secret
    • OpenID Issuer URL

PingIdentity walkthrough

From your PingIdentity administration dashboard, enter the appropriate environment and click Connections → Applications in the sidebar.
The PingIdentity dashboard with the “Connections” menu in the sidebar (the thing that looks like an S) and the Applications sub-entry highlighted and opened.
Click the + icon to add a new application. This will open a dialog box for you to set up the OpenID Connect connection for TileDB Cloud to use. Give the application a name (“TileDB Cloud”) and select OIDC Web App from the options at the bottom of the page. Click Save.
The “Create Application” dialog, with the name TileDB Cloud and the “OIDC Web App” type.

Configuring the application for TileDB Cloud

After creating the application, you should now be on the configuration panel for your new TileDB Cloud connection.
The base configuration panel for the brand-new TileDB Cloud application.
Click the Protocol: OpenID Connect button to open the OpenID Connect configuration dialog. Add the Redirect URL, leave everything else unchanged, and click Save. This will allow TileDB Cloud to process logins.
Click Overview to return to the main tab, and click the Resource Access: 1 Scope button. In the dialog that pops up, add the email and profile scopes to the application. Click Save here as well.
The “profile” and “email” scopes added to the TileDB application.
Now the entire setup on the PingIdentity side is complete! Use the Access tab to configure who from your organization has access to TileDB Cloud (if desired) and enable the application.
Don’t close up PingIdentity yet, though; we still need the Client ID and Client Secret for TileDB Cloud.

TileDB Cloud setup

Return to the Configuration tab of the TileDB Cloud application in PingIdentity and expand the General zippy. (You may need to scroll down.)
The TileDB Cloud application configuration page, with the “General” zippy expanded.
TileDB Cloud needs three pieces of information from this page to successfully connect to PingIdentity:
  • The Issuer, which is a URL that will look like[some-uuid-goes-here]/as. It does not have a / on the end.
  • The Client ID, which identifies TileDB to PingIdentity. (For PingIdentity, this happens to be a UUID.)
  • the Client Secret, which allows TileDB to access PingIdentity resources (This is a random alphanumeric string.)
Copy all three of these and provide them to TileDB staff, along with the domain you wish to enable SSO on. Once TileDB’s side of the setup is complete, you should be ready to log in with SSO accounts from your chosen domain.

Okta walkthrough

Follow the regular Okta SSO setup steps, but use the redirect URL instead of a custom redirect URL for TileDB Cloud Enterprise. The Issuer will be your Okta base URL, without a / on the end (for example, The Client ID and Client Secret are the same as those from the Okta SSO guide.
Last modified 4mo ago