Single Sign-On (SSO) for CockroachDB Cloud

Users may authenticate to the CockroachDB Cloud Console using Single Sign-On (SSO). GitHub, Google, and Microsoft are supported as identity providers (IdPs).

Authentication with a centralized identity managed by a dedicated IdP offers several security advantages:

• All supported SSO providers (Google, Microsoft, and GitHub) support multi-factor authentication (MFA).
• Administrators avoid responsibility for managing an additional set of credentials and tying those to other identities and credentials. Every additional credential or identity management operation introduces risk as well as costing effort, so minimizing these is doubly advantageous.
• Administrators can onboard and offboard users quickly and efficiently.

Preview: Enterprise authentication

Support for SAML and OIDC identity protocols

Security Access Markup Language (SAML) and OpenID Connect (OIDC) are identity protocols that allow applications and services to rely on identity providers (IdPs) for centralized authentication.

With support for SAML and OIDC, CockroachDB Cloud allows enterprise organizations to use a wide variety of self-hosted or SaaS enterprise IdP solutions, such as Okta, Active Directory, Onelogin, etc., to authenticate to the CockroachDB Cloud Console.

Custom sign-in page

With this feature, customers get a unique and private sign-in URL for their CockroachDB Cloud organization, and will no longer use the public sign-in URL.

Extended configuration options

Enterprise authentication allows CockroachDB Cloud organization admins to configure a list of allowed and disallowed authentication methods.

Only enabled authentication methods are shown on the custom sign-in page.

Auto-provisioning

This optional enterprise feature removes the need to invite users to your organization. When auto-provisioning is enabled, a CockroachDB Cloud account will be created automatically for your users when they sign in to the custom sign-in page for the first time.

How to enable enterprise authentication for CockroachDB Cloud

Reach out to your Cockroach Labs team to enquire about the preview of Enterprise Authentication for Cloud SSO.

CockroachDB Cloud SSO Frequently Asked Questions (FAQ)

Will it work if I try to sign in with SSO without explicitly setting it up for my account, if I already use an email from an SSO Provider such as Gmail?

Yes, as long as the email address associated with your SSO provider is exactly the same as the one associated with your existing CockroachDB Cloud account. After successfully signing in, you will be prompted to approve the updated authentication method for your account.

To view your current authentication method, visit My Account in the CockroachDB Cloud Console.

Once I change my active login method to a new SSO provider, can I still sign in using my email/password combination or my GitHub identity?

No. Only one authentication method can be active for each CockroachDB Cloud Console user. Visit My Account in the CockroachDB Cloud Console to view or update your active authentication method.

Does this change how administrators invite users?

The workflow for inviting team members to CockroachDB Cloud remains the same. If Enterprise Authentication is enabled for your CockroachDB Cloud organization, then you don't need to invite SSO users.

As an admin, how do I deprovision a user's access to CockroachDB Cloud Console if they leave the relevant project?

If a user is using SSO, deleting the user's identity at the level of the SSO provider (for example, by deleting a user's GCP account) also removes their access to the CockroachDB Cloud organization.

To remove a user's access to CockroachDB Cloud without deleting their SSO identity, you can remove their CockroachDB Cloud user identity from your CockroachDB Cloud organization.

Can admins require a particular login method for their CockroachDB Cloud organization?

Yes, as long as Enterprise Authentication is enabled for your CockroachDB Cloud organization.