OpenID Connect

self-hosting
administration
single sign-on (sso)
Learn how to set up OpenID Connect (OIDC) with TileDB Cloud Self-hosted.

To enable TileDB Cloud login with SSO, you’ll need to create an OpenID Connect integration with your SSO provider and configure it to accept requests from TileDB Cloud. Then, you can register this application within the TileDB Cloud web interface to connect it to TileDB Cloud SaaS.

If running TileDB Cloud Self-Hosted, it’s possible to use configuration values after release of Enterprise Helm Chart version 2.10. Refer to Enterprise SSO for TileDB Cloud Self-Hosted for more information.

This page guides you through the identity provider (IdP) setup and provides walkthroughs for various IdPs.

IdP setup

TileDB Cloud supports most standard OpenID Connect IdPs. These basic steps are shared across all IdPs. For more detailed instructions on how to configure a specific provider with these settings, see the IdP–specific tutorials below.

Here are high-level steps to follow to set up your IdP:

  1. Create an OpenID Connect integration.
  2. Within your OpenID Connect integration:
    • Add the redirect URL (sometimes called a callback URL) of https://cloud.tiledb.com/auth/sso/callback/perdomain. This allows login details for this integration to be sent to TileDB.
    • Enable required scopes (if needed):
      • openid (should already be enabled)
      • email (allows TileDB Cloud to access and verify the user’s email address)
      • profile (allows TileDB Cloud to see the user’s name and basic information)

IdP-specific tutorials

These walkthroughs provide detailed steps for the IdP setup section for a few providers. TileDB Cloud supports other standard OpenID Connect providers beyond the ones listed below. For providers not listed in this page, you can adapt the generic instructions above to your provider.

Okta tutorial

To enable SSO, you need to first create an Okta OpenID Connect integration for your installation.

In the Okta Admin Dashboard, go to Applications and select Create App Integration. A dialog box will appear to initially set up the application. Create an OIDC - OpenID Connect integration with application type Web Application. Select Next once these are selected.

On the next page, give the integration a name (like “TileDB Cloud”) and set the sign-in redirect URI to https://cloud.tiledb.com/auth/sso/callback/perdomain. You can also remove the sign-out redirect URI, which TileDB Cloud does not use. All the other settings on this page can remain the same.

At the bottom of the page, decide which users in your Okta organization should have access to TileDB Cloud. Only those selected users will be able to log in. Select Save to create the integration.

You will be taken to the page for your new integration.

You now have all the information you need to set up TileDB Cloud:

  • Issuer: Your Okta domain (for instance https://ingen.okta.com, with no slash at the end).
  • Client ID: The client ID displayed on the page (for example, a1b2c3d4e5f6g7h8i9j0).
  • Client Secret: The client secret (currently hidden; a longer string which looks something like a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0).

Continue the process with the next step.

PingIdentity tutorial

From your PingIdentity administration dashboard, enter the appropriate environment and select Connections > Applications in the sidebar.

Select the + icon to add a new application. This will open a dialog box for you to set up the OpenID Connect connection for TileDB Cloud to use. Give the application a name (such as TileDB Cloud) and select OIDC Web App from the options at the bottom of the page. Save your work.

After creating the application, you should now be on the configuration panel for your new TileDB Cloud connection.

Select the Protocol: OpenID Connect button to open the OpenID Connect configuration dialog. Add the Redirect URL https://cloud.tiledb.com/auth/sso/callback/perdomain, leave everything else unchanged, and select Save. This will allow TileDB Cloud to process logins.

Select Overview to return to the main tab, and select the Resource Access: 1 Scope button. In the pop-up modal, add the email and profile scopes to the application. Select Save here as well.

Now the entire setup on the PingIdentity side is complete! Use the Access tab to configure whom from your organization has access to TileDB Cloud (if desired) and enable the application.

Don’t close up PingIdentity yet, though. You still need the Client ID and Client Secret for TileDB Cloud.

Return to the Configuration tab of the TileDB Cloud application in PingIdentity and expand the General zippy (you may need to scroll down).

TileDB Cloud needs three pieces of information from this page to successfully connect to PingIdentity:

  • The Issuer, which is a URL that will look like https://auth.pingone.com/[some-uuid-goes-here]/as. It does not have a forward slash (/) at the end.
  • The Client ID, which identifies TileDB to PingIdentity. For PingIdentity, this happens to be a UUID.
  • the Client Secret, which allows TileDB to access PingIdentity resources (this is a random alphanumeric string).

Continue the process with the next step.