Connecting to your identity provider
With Cyral, you can authenticate database users and Cyral administrators against your identity provider (IdP) or single sign-on (SSO) platform using SAML 2.0. Once set up for SSO, Cyral delegates authentication to your identity provider. When a user authenticates successfully, Cyral grants them the appropriate privileges in the data store. Privileges can be based on each user's group memberships in the identity management system by creating access rules or admin user mappings
Prerequisites
Before you set up the SSO integration, make sure you have an Identity Provider that supports SAML 2.0.
note
Please be aware of the following regarding the Cyral SP:
- Cyral supports only SAML 2.0 HTTP-POST Binding.
- The SAML Assertion must contain the user's first name, last name, email, and group membership information.
- Cyral supports SP and IdP initiated login for most IdPs.
- Cyral supports both Single Sign-on (SSO) and Single Logout (SLO), however SLO is not required.
SSO
To set up an integration with your identity provider, please refer to the guides below.
- Active Directory Federation Service (ADFS)
- Azure Active Directory
- ForgeRock
- G Suite
- Okta
- OneLogin
- PingOne
- Other IdPs (for other SAML-based identity providers)
SCIM
Cyral supports the use of the SCIM protocol to retrieve group information from your SAML identity provider. While Cyral also supports other ways to retrieve group information from SAML, the SCIM approach is the only way to get group information for login workflows in which the user does not visit the Cyral Access Portal. For example, login through Tableau to Snowflake with Cyral SSO relies on Cyral's SCIM integration to retrieve the user's group information.
Prerequisites
Before you set up the SCIM integration, make sure you have:
- A working SAML SSO integration in Cyral.
note
Note the following limits on Cyral SCIM integrations:
- Cyral supports only SCIM 2.0.
- Bulk operations are not supported.
- Cyral supports only the
userandgroupresource types. No other custom resources are supported. - PUT and PATCH are both supported for user and group resource types.
- Cyral supports authentication only via a long-lasting OAuth 2.0 bearer token that's been sent as an HTTP authorization header.
Configure SCIM in your SAML 2.0 identity provider
See these guides to help configuring for your IDP:
Learn more
- After you've connected Cyral to your identity provider, see Set up SSO authentication for users for the steps to activate SSO authentication on each repository that will use it.
- Users can connect via your identity provider as explained here.
- You can embed a Cyral login button or Cyral token button on your employee access portal to give your users fast access to the Cyral access tokens they need for logging into a database.