Federated authentication
Using federated authentication, you can use an enterprise IdP to manage access to your YugabyteDB Aeon account. After federated authentication is enabled, only Admin users can sign in using email-based login.
Currently, YugabyteDB Aeon supports IdPs exclusively using the OIDC (OpenID Connect) protocol.
Prerequisites
Before configuring federated authentication, be sure to allow pop-up requests from your IdP. While configuring federated authentication, the provider needs to confirm your identity in a new window.
Create an application in PingOne
Before enabling federated authentication in YugabyteDB Aeon, you must configure your IdP and obtain the necessary credentials.
To use PingOne for your IdP, do the following:
-
Sign in to your PingIdentity account and create an application.
- Under Applications, add a new application.
- Enter a name for the application.
- Under Application Type, select OIDC Web App.
- Click Save.
-
Select the application you created and, on the Configuration tab, click Edit and set the following options:
- Response Type - select Code.
- Grant Type - select Authorization Code.
- Redirect URIs - enter
https://yugabyte-cloud.okta.com/oauth2/v1/authorize/callback
. - Token Endpoint Authentication Method - select Client Secret Post.
- Initiate Login URI - enter
https://cloud.yugabyte.com/login
.
Click Save when you are done.
-
On the Resources tab, edit the ALLOWED SCOPES, select the openid, email, and profile scopes, and click Save when you are done.
-
Configure Policies and Attribute Mappings as required.
-
On the Access tab, click Edit, select the user groups you want to access YugabyteDB Aeon, and click Save when you are done.
-
Enable the application by turning on the slider control at the top of the page.
To configure PingOne federated authentication in YugabyteDB Aeon, you need the following application properties:
- Client ID and secret of the application you created. These are provided on the Overview and Configuration tabs.
- Authorization URL for your application. This is displayed on the Configuration tab under URLs.
For more information, refer to the PingOne for Enterprise documentation.
Configure federated authentication
To configure federated authentication in YugabyteDB Aeon, do the following:
- Navigate to Security > Access Control > Authentication and click Enable Federated Authentication to display the Enable Federated Authentication dialog.
- Choose PingOne identity provider.
- Enter the client ID and secret of the PingOne application you created.
- Enter the Authorization URL for your application.
- Click Enable.
You are redirected to sign in to your IdP to test the connection. After the test connection is successful, federated authentication is enabled.