Now in public preview.
In the vast landscape of cloud-based databases, SingleStore Helios cloud has raised the bar by introducing an advanced self-service authentication service, providing robust support for OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) authentication protocols. We are happy to introduce the public preview launch of this capability — this authentication proxy adds an extra layer of security and flexibility for users accessing the SingleStore database.
The key feature of the SingleStore Identity Platform is self-service, allowing customers to configure identity provider (IdP) connections themselves and testing before they’re live. Customers must prove they own the domains that they’re using for SSO and once proven, all logins with the customers’ domain must use the customers’ IdP. Robust debugging information is captured and made available so that any failure to authenticate can be diagnosed.
Understanding the identity platform
SingleStore’s identity platform serves as the authentication gateway for users accessing various SingleStore database services. When logging into the SingleStore cloud portal (or any other SingleStore site), users authenticate through this identity platform. The portal, acting as an OIDC client, utilizes the identity platform for authentication. In turn, the identity platform acts as an identity proxy, facilitating authentication with an external Identity Provider (IdP) using either OIDC or SAML.
OIDC vs. SAML: Comparison
OpenID Connect (OIDC) and SAML are distinct authentication protocols, each with its own set of advantages. The SingleStore Helios cloud authentication service provides support for both, recognizing that different organizations may have varied preferences or existing infrastructure.
SAML
- Communication method. SAML relies on browser redirects for all communication between the SingleStore identity system and the IdP. This makes it suitable for scenarios where the IdP is behind a firewall and inaccessible to requests from SingleStore’s cloud.
- Fine-grain control. SAML offers fine-grain control over the information exchange between the IdP and the Service Provider (SP). Admins can configure attributes like first name, last name and email address, allowing for flexibility in data transfer.
OIDC
- Enhanced security. OIDC supports robust logout because the IdP session gets verified every time the IdP-provided id token expires.
- Ease of setup. There are fewer steps required to configure OIDC.
Configuration and fine-tuning
SAML configuration
SAML configuration involves exchanging XML configuration blobs and configuring attributes like first name, last name and email address on both the IdP and SP sides. While SingleStore Helios cloud currently utilizes only a subset of available data (first name, last name and email address), SAML allows for the potential inclusion of group memberships and other custom data.
OIDC configuration
OIDC configuration is generally more straightforward, but it requires careful attention to the specific scopes supported by the IdP platform (e.g., Okta, Ping). SingleStore’s identity system supports IdP-initiated authentication with OIDC, ensuring seamless integration.
Session management
Only for the customer's with IdP connection using OIDC, authentication sessions in the SingleStore cloud portal are intricately tied to the access token granted by the customer’s IdP. Session duration is determined by the lifespan of this access token, or its ability to be refreshed. If the IdP invalidates the refresh token (like in instances due to administrative actions like user removal), the access token expires, leading to the closure of the session. Notably, SingleStore Helios cloud does not impose a limit on session length, leaving it to the customer IdPs policies.
Key concepts and architectural details
At the current time, the identity platform provides authentication but leaves authorization as a separate function. Even when SSO login is required for a customer’s domain, logging in via SSO does not provide access to the customer’s organization. That is handled separately.
Tokens issued by the SingleStore identity platform can be used to access customer cloud databases. It is possible to separately set up JWKS so that tokens issued by the customers’ IdP can be used to access customer cloud databases.
Conclusion
SingleStore Helios cloud’s advanced authentication service with OIDC and SAML support represents a significant stride toward providing a secure and adaptable environment for users. The choice between OIDC and SAML caters to diverse organizational needs, allowing for seamless integration with different Identity Providers.
Whether prioritizing fine-grain control with SAML or ease of setup with OIDC, users can confidently navigate the SingleStore ecosystem while enjoying the benefits of a robust and flexible authentication mechanism.
