Skip to main content

Set up an identity provider (IdP) for Astro

There are 4 ways users can to authenticate to Astro:

  • Basic authentication
  • Google social login
  • GitHub social login
  • 3rd-party identity provider (IdP) login

Identity Providers (IdPs) are services that manage user accounts. As organizations grow, it's common for teams to integrate internal tooling with a third-party IdP. This allows administrators to monitor application access, user permissions, and security policies from a single place. It also makes it easy for individual users to access the tools they need.

Astro supports integrations with the following IdPs:

This guide provides setup steps for integrating both of these identity providers on Astro. Once you complete the integration for your organization:

  • Users will automatically be authenticated to Astro if they're already logged in to your IdP.
  • Users will no longer have to repeatedly login and remember credentials for their account.
  • You will have complete ownership over credential configuration and management on Astro.
  • You can enforce multi-factor authentication (MFA) for users.
  • You can use services such as Adaptive Authentication and Conditional Access to create advanced access policies that enforce trusted IP ranges or limit access to authorized devices.

Astro only supports Service Provider (SP)-initiated SSO. Users are required to log in to the Cloud UI.

Configure your identity provider

This section provides setup steps for setting up Okta as your IdP on Astro. After completing this setup, all users in your organization can use Okta to log in to Astro.


To integrate Okta as your IdP for Astro, you must have an Okta account with administrative access.

Step 1: Contact Astronomer support

To set up Okta as your IdP, submit a request to Astronomer support. After receiving your request, Astronomer support will provide you with the following:

  • A Single Sign-On (SSO) URL
  • An Audience URI

These values are required for Step 2.

Step 2: Configure Okta

  1. Create a SAML app integration in the Okta Admin Console. See Create SAML app integrations using AIW. Complete the following fields:

    • Single sign on URL: <your-sso-url>
    • Audience URI (SP Entity ID): <your-audience-uri>
    • Name ID format: Unspecified
    • Application username: Email
    • Update application username on: Create and update
  2. In the Advanced Settings section of your configuration, set the following values:

    • Response: Signed
    • Assertion Signature: Signed
    • Signature Algorithm: RSA-SHA256
    • Digest Algorithm: SHA256
    • Assertion Encryption: Unencrypted
  3. In the Attribute Statements section of your configuration, create the following four attribute statements, making sure to use the exact capitalization as shown:

    NameName FormatValue

    These values might be different if Okta is connected to an Active Directory. In this case, replace each Value with the equivalent Active Directory values for a user's first name, last name, and full email address.

  4. Complete the remainder of the setup as documented in Okta until you finish creating your integration.

Step 3: Provide Astronomer support with your integration information

On the page for your Okta app integration, click View Setup Instructions. Copy the values for Single Sign-on URL and X.509 Certificate that appear and send them to Astronomer Support.

From here, Astronomer support will finalize your organization's integration with Okta.

Step 4: Assign users to your Okta application

On the page for your Okta app integration, open the Assignments tab. Ensure that all users who will use Astro are assigned to the integration. For more information, read Okta documentation.

When a user assigned to the integration accesses Astro, they will be brought automatically to Okta after entering their email in the Cloud UI.

Restrict authentication options

This feature is available only with an Astro Premium plan.

By default, users have access to all possible authentication methods when logging into Astro. You can remove specific authentication options so that users can use only the methods that your team wants to support, such as your third party identity provider.

To restrict which authentication options are available on Astro for your organization, contact Astronomer support.