TileDB Cloud Enterprise

Starting from release of 2.10 of our Enterprise Helm Chart, it is possible to use configuration values to enable Corporate SSO using OpenID Connect. There are some differences compared to SSO in the TileDB Cloud SaaS product:

• Domain verification is not required (since you are hosting and controlling your own installation).

• Users are not automatically added to an organization upon login.

• You can rewrite OpenID Connect claims if needed.

Configuration details

These configuration stanzas in the values.yaml file contain the necessary values to enable corporate SSO with your TileDB Cloud enterprise installation. By configuring these settings, the TileDB Cloud backend will be able to connect to your company's OpenID Connect–based SSO service.

Claim rewriting

If your OpenID Connect implementation doesn't provide data in the necessary format, you can configure TileDB Cloud to rewrite the claims to get what it needs. This is configured by a mapping of {"target": "template string with {other}"}, where target is the claim that will be written to, and template string with {other} is a string where the text {other} will be replaced by the other claim in the source claims.

In this case, performing the above substitution on an OpenID Connect token with the following claims:

{"claim1": "example", "other": "data"}

will result in the addition of a target claim:

{"claim1": "example", "other": "data", "target": "template string with data"}

For instance, if the OIDC doesn't include the email claim, but it does include a preferred_username claim with a bare username, you can configure the substitution:

{"email": "{preferred_username}@mycompany.example"}

This will transform a token like:

{"iss": "some_issuer", "sub": "some_sub", "preferred_username": "the-user"}

into

{
  "iss": "some_issuer",
  "sub": "some_sub",
  "preferred_username": "the-user",
  "email": "the-user@mycompany.example"
}

Alternately, if your preferred_username field is already a full email address, you can omit the suffix:

{"email": "{preferred_username}"}

Configuration file

Customize these parameters by replacing the example values listed below with details for your specific SSO service's OpenID Connect configuration.

# The tiledb-cloud-rest.restConfig.SSO.OIDC field contains server-side configuration
# to allow users to log in with SSO.
tiledb-cloud-rest:
  restConfig:
    SSO: 
      # The "OIDC" key is a list of OpenID Connect configurations,
      # one for each email domain.
      OIDC:
        - Domain: mycompany.example
          OIDCIssuer: https://sso.mycompany.example/oidc-issuer
          OIDCClientID: tiledb-client-id
          OIDCClientSecret: tiledb-client-secret
          ClaimMapping:
            {"email": "{preferred_username}@mycompany.example"}
          # If you have users logging in with more than one email domain,
          # you can use multiple OpenID Connect configurations.
          # They may use the same issuer or a different one, as needed.
        - Domain: subsidiary.example
          OIDCIssuer: https://sso.mycompany.example/subsidiary-login
          OIDCClientID: other-client-id
          OIDCClientSecret: other-client-secret
          # If the ClaimMapping entry is missing, the claims are not modified.
          

# Setting tiledb-cloud-ui.config.EnableCompanySSO shows the "Corporate SSO" button
# in the TileDB Cloud web login screen.
tiledb-cloud-ui:
  config:
    EnableCompanySSO: true