OverviewQuickstart
Using Cyral
Authenticate repository access with SSOPrerequisitesProcedureNext stepSchedule repository access for on-call usersProvision just in time repository accessMonitor data activity from users, tools, and appsIdentify users behind tools and apps
Repositories
Sidecars
Integrations
Account Administration
How to
Reference
API ReferenceRelease Notes

Try Cyral in your environment now. No credit card needed.

Try Cyral

Authenticate repository access with SSO

With Cyral, you can authenticate data repository users against your enterprise single sign-on (SSO) platform. By ensuring that data repository users log in with their SSO credentials, you ensure your data access logging reflects people's true identities. You also have the option to grant access based on a user's group memberships in the SSO platform.

Prerequisites

Before you set up SSO for a repository, make sure you've completed these steps:

Procedure

Check out our video overview of this procedure!

Add the native repository credentials to your secrets manager

Each SSO user will map to a native user account in your data repository (we call this the local account). For example, SSO user Frank Hardy might map to a PostgreSQL user, analyst, that you have created.

  • For each local account, create and store its username and password as a secret in your secrets manager. For this example, we'll use AWS Secrets Manager. See the AWS Secrets Manager tutorial for instructions.
{
"username": "analyst",
"password": "pwsd%83#gg*!"
}

Give the Cyral control plane access to the repository account

In this step, you will specify the local account(s) that SSO users will ultimately log in as when they connect to the repository.

  1. In AWS Secrets Manager, retrieve the ARN for the local account credentials you created.

  2. In the Cyral control plane UI, go to Data Repos, click the name of your repository, click Local Accounts, and click the plus sign to track a new local account.

  3. In the Track Account form, enter the account username

  4. Choose the type of secrets manager, and paste the ARN for the local account credentials. Inside the ARN, the secret must start with the /cyral/dbsecrets prefix. Here's an example:

    arn:aws:secretsmanager:us-east-1:926775727812:secret:/cyral/dbsecrets/1m2xbhDKKCnEOU812c9KFCF0kfz-9mh6lx
  5. Click Track.

Set the identity provider for the repository

  1. In the Data Repos section of the Cyral control plane UI, click the name of your repository, and click Advanced.

  2. Under Authentication, choose the name of your SSO provider as set up in Connect Cyral to your SSO identity provider

  3. Optional: If you prefer to give users the choice of accessing the same repo using either SSO or native credentials, then select Allow native authentication. If you choose to do that, then when connecting as an SSO user, the person must include their SSO username in their connection string, prefixed with "idp:". For example, the username portion of the connection string might be: idp:nancy.drew@hhiu.us.

  4. Click Save.

Map an SSO user or group to a local account

When a user authenticates, they can be mapped to a local account based on their user name, or based on their membership in an SSO group. Set up the mapping as follows.

  1. In the Data Repos page, click the name of your repository, click the Identity to Account Map tab, and click the plus sign.

  2. Choose User or Group as the identity type.

  3. In the Identity field, specify the SSO user name or group name as it's written in your identity service.

  4. In the Local Account field, choose the name of the local repository account, as configured in Cyral. See above.

  5. In the Duration field, set a length of validity for the access, or click Unlimited to grant access that will not expire automatically.

  6. Click Create.

Your SSO setup is complete.

To connect to the repository, the users you've configured must authenticate with their enterprise SSO credentials. Once authenticated, they can use the Cyral Access Tokens portal or utility to generate an authentication token they can use to connect to the repository.

Note! As an administrator, you can also find your authentication tokens by clicking the Access Tokens button at the top right of your screen.

Next step

  • Follow the instructions in Connect to a repository to verify that users can connect based on your new configuration.
  • Did you know that your users can quickly request and get access, just by chatting with the Cyral bot in Slack? See how to set it up now.

© Copyright 2021 Cyral Inc. All rights reserved.