Users may authenticate to the CockroachDB Cloud Console using Single Sign-On (SSO). GitHub, Google, and Microsoft are supported as identity providers (IdPs).
This feature is in preview and is only available to enrolled organizations. To enroll your organization in the preview, contact your Cockroach Labs account team. This feature is subject to change.
Authentication with a centralized identity managed by a dedicated IdP offers several security advantages:
- All supported SSO providers (Google, Microsoft, and GitHub) support multi-factor authentication (MFA).
- Administrators avoid responsibility for managing an additional set of credentials and tying those to other identities and credentials. Every additional credential or identity management operation introduces risk as well as costing effort, so minimizing these is doubly advantageous.
- Administrators can onboard and offboard users quickly and efficiently.
Preview: Enterprise authentication
Support for SAML and OIDC identity protocols
With support for SAML and OIDC, CockroachDB Cloud allows enterprise organizations to use a wide variety of self-hosted or SaaS enterprise IdP solutions, such as Okta, Active Directory, Onelogin, etc., to authenticate to the CockroachDB Cloud Console.
Custom sign-in page
With this feature, customers get a unique and private sign-in URL for their CockroachDB Cloud organization, and will no longer use the public sign-in URL.
Extended configuration options
Enterprise authentication allows CockroachDB Cloud organization admins to configure a list of allowed and disallowed authentication methods.
Only enabled authentication methods are shown on the custom sign-in page.
This optional enterprise feature removes the need to invite users to your organization. When auto-provisioning is enabled, a CockroachDB Cloud account will be created automatically for your users when they sign in to the custom sign-in page for the first time.
How to enable enterprise authentication for CockroachDB Cloud
Reach out to your Cockroach Labs team to enquire about the preview of Enterprise Authentication for Cloud SSO.
After Enterprise Authentication is enabled, your Cockroach Labs team or the support team will reach out again to finalize and confirm the setup.
CockroachDB Cloud SSO Frequently Asked Questions (FAQ)
Will it work if I try to sign in with SSO without explicitly setting it up for my account, if I already use an email from an SSO Provider such as Gmail?
Yes, as long as the email address associated with your SSO provider is exactly the same as the one associated with your existing CockroachDB Cloud account. After successfully signing in, you will be prompted to approve the updated authentication method for your account.
To view your current authentication method, visit My Account in the CockroachDB Cloud Console.
Once I change my active login method to a new SSO provider, can I still sign in using my email/password combination or my GitHub identity?
No. Only one authentication method can be active for each CockroachDB Cloud Console user. Visit My Account in the CockroachDB Cloud Console to view or update your active authentication method.
Does this change how administrators invite users?
The workflow for inviting team members to CockroachDB Cloud remains the same. If Enterprise Authentication is enabled for your CockroachDB Cloud organization, then you don't need to invite SSO users.
As an admin, how do I deprovision a user's access to CockroachDB Cloud Console if they leave the relevant project?
If a user is using SSO, deleting the user's identity at the level of the SSO provider (for example, by deleting a user's GCP account) also removes their access to the CockroachDB Cloud organization.
To remove a user's access to CockroachDB Cloud without deleting their SSO identity, you can remove their CockroachDB Cloud user identity from your CockroachDB Cloud organization.
Can admins require a particular login method for their CockroachDB Cloud organization?
Yes, as long as Enterprise Authentication is enabled for your CockroachDB Cloud organization.