Skip to main content

Authenticate repository access with SSO

With Cyral, you can authenticate data repository users against your enterprise single sign-on (SSO) platform. By ensuring that data repository users log in with their SSO credentials, you ensure your data access logging reflects people's true identities. You also have the option to grant access based on a user's group memberships in the SSO platform.

Prerequisites#

Before you set up SSO for a repository, make sure you've completed these steps:

Procedure#

Add the local account credentials to your secrets manager#

Each SSO user will map to a local account on your data repository (a native user account saved in the repository service, DBaaS, or DBMS). For example, SSO user Frank Hardy might map to a PostgreSQL user, analyst, that you have created.

For each local account, store its credentials as a secret in your secrets manager. These credentials must consist of a valid username and password on the repository service, DBaaS, or DBMS. For this example, we'll use AWS Secrets Manager. See the AWS Secrets Manager tutorial for instructions.

  1. For most repository types, you need to include 2 values in the secret:
    • the username is the local user account name as stored in the repository system, like a PostgreSQL username, for example. Don't worry about the SSO user or group names now; you'll map those later in the Cyral UI.
    • the password is the local user's password used for direct authentication to the repository system
       {    "username": "analyst",    "password": "pwsd%83#gg*!"  }
  2. For some databases, for example MongoDB, we also need to specify the authentication database in the secrets payload. We can do it by adding the the following key to the above payload: databaseName. For example, if our authentication database name is admin, we should add the following entry to the secrets payload: "databaseName": "admin".

Give the Cyral control plane access to the local account#

In this step, you will specify the local account(s) that SSO users will ultimately log in as when they connect to the repository.

  1. In AWS Secrets Manager, retrieve the ARN for the local account credentials you created.

  2. In the Cyral control plane UI, go to Data Repos, click the name of your repository, click Local Accounts, and click the plus sign to track a new local account.

  3. In the Track Account form, enter the account username

  4. Choose the type of secrets manager, and paste the ARN for the local account credentials. Inside the ARN, the secret must start with the /cyral/dbsecrets prefix. Here's an example:

    arn:aws:secretsmanager:us-east-1:926775727812:secret:/cyral/dbsecrets/1m2xbhDKKCnEOU812c9KFCF0kfz-9mh6lx
  5. Click Track.

Set the identity provider for the repository#

  1. In the Data Repos section of the Cyral control plane UI, click the name of your repository, and click Advanced.

  2. Under Authentication, choose the name of your SSO provider as set up in Connect Cyral to your SSO identity provider

  3. Optional: If you prefer to give users the choice of accessing the same repo using either SSO or native credentials, then select Allow native authentication. If you choose to do that, then when connecting as an SSO user, the person must include their SSO username in their connection string, prefixed with "idp:". For example, the username portion of the connection string might be: idp:nancy.drew@hhiu.us.

  4. Click Save.

Map an SSO user or group to a local account#

When a data user authenticates, they can be mapped to a local account based on their username, or based on their membership in an SSO group in your identity provider. Set up the mapping as follows.

  1. In the Data Repos page, click the name of your repository, click the Identity to Account Map tab, and click the plus sign.

  2. Choose User or Group as the Identity Type.

  3. In the Identity field, depending on the selected Identity Type, specify the SSO username (email address) or the SSO group name as defined in your identity provider.

    • Please note that for Azure AD, you'll specify the SSO group by its Object ID which you'll find in the Groups panel of your Azure management console.


  4. In the Local Account field, choose the name of the local repository account, as configured in Cyral. See above.

  5. In the Duration field, set a length of validity for the access, or click Unlimited to grant access that will not expire automatically.

  6. Click Create.

At this point, users with a configured local account mapping can connect to your repository using their IdP credentials. They would start by navigating to the Cyral access portal as described here.

tip

As an administrator, you can validate the configuration by creating a local account mapping for yourself, then navigating to your access portal by clicking the Access Tokens button at the top right of your management console.

Next step#