Skip to main content

Set up authentication and single sign-on for Astro

This guide provides the steps for integrating identity providers on Astro to enable Single Sign-On (SSO) for your users. After you complete the integration for your organization:

  • Users will automatically be authenticated to Astro if they're already logged in to your identity provider (IdP).
  • Users will no longer have to repeatedly login and remember credentials for their account.
  • You will have complete ownership over credential configuration and management on Astro.
  • You can enforce multi-factor authentication (MFA) for users.
  • You can use services such as Adaptive Authentication and Conditional Access to create advanced access policies that enforce trusted IP ranges or limit access to authorized devices.

To manage Organization users after you have configured SSO, see Manage Organization users.

In addition to SSO authorization, there are 3 ways that users can to authenticate to Astro:

  • Basic authentication (username and password)
  • Google social login
  • GitHub social login

To limit users to only a subset of these options, see Restrict authentication options.

Supported SSO identity providers

Single Sign On (SSO) authorization allows users to log in using their company credentials, managed through an IdP. This provides a streamlined login experience for your Astro users, as they are able to leverage the same credentials across multiple applications. In addition, this provides improved security and control for organizations to manage access from a single source. Astro supports integrations with the following IdPs:

info

You can configure multiple SSO connections for a single Organization. This requires having a unique verified domain for each new SSO connection.

Configure your SSO identity provider

At a high level, to configure an SSO identity provider (IdP) you will:

  1. Create a connection between Astro and your IdP.
  2. Map a managed domain to your SSO connection.
  3. Invite users to Astro through your IdP.

This section provides setup steps for setting up Okta as your IdP on Astro. After completing this setup, all users in your organization can use Okta to log in to Astro.

Supported Okta features

The Astro integration with Okta supports the following authentication options:

  • IdP-initiated SSO
  • Service provider (SP)-initiated SSO
  • Just-In-Time provisioning

Prerequisites

Step 1: Create a SAML-based connection to Okta

To set up Okta as your IdP, you will create a Security Assertion Markup Language (SAML) connection to Okta.

  1. In the Astro UI, click your Workspace name in the upper left corner, click Organization Settings, then click Authentication.

  2. In the SSO Configuration menu, click Configure SSO.

  3. Configure the following values for your connection:

    • Connection type: Select SAML.
    • SSO Domain(s): Enter the verified domain(s) that you want to map to Okta.
    • Automatic Membership: Set the default role for users who join your Organization through Okta and without an explicit invite from Astro.

  4. Copy the Connection Name.

  5. Open a new tab and go to Okta. In the Okta Admin Console, go to Applications and click Browse App Catalogue. Then, search the catalogue, select the Astro app integration, and click Add Integration. After configuring a label for the integration, the application appears in Applications.

info

When you create your application, Okta automatically maps the following attributes to Astro user account values:

AttributeValue
emailuser.email
firstNameuser.firstName
lastNameuser.lastName
nameuser.displayName

  1. Open the Astro application you just configured, click Sign On, then click Edit. Configure the following values:

    • Connection Name: Enter the Connection Name you copied from the Astro UI.
    • Application username format: Email.
    • Update application username on: Create and update.

  2. Copy the values for Sign-on URL, Sign out URL, and X.509 Certificate from the Metadata Details section.

  3. Assign yourself to the Astro app integration from Okta. See Assign an app integration to a user.

  4. Return to the Astro UI. In the configuration screen for your SAML connection, configure the following values:

    • Identity Provider Single Sign-on URL: Enter your Single Sign-on URL.
    • Identity Provider Sign-out URL: Enter your Single Sign-out URL.
    • X.509 Certificate: Enter your X.509 Certificate.

  5. Click Create. Your Okta integration appears as an entry in SSO Configuration.

  6. In SSO Configuration, click Activate. You are redirected to Okta to test your configuration. After you have successfully authenticated, you are redirected to Astro.

  7. Click Activate SSO.

warning

Do not share your single sign-on (SSO) bypass link. With an SSO bypass link, anyone with an email and a password can log in to Astro. Astronomer recommends periodically regenerating the link from the Settings tab in the Astro UI.

An SSO bypass link allows you to authenticate to your Organization without using SSO. This link should be used to access your Organization only when you can't access Astro due to an issue your identity provider.

  1. In the Astro UI, click your Workspace name in the upper left corner, click Organization Settings, then click Authentication.

  2. In the SSO Bypass Link field, click Copy. Save this link for when you need to log in to Astro without using SSO.

If you don't want to maintain an SSO bypass link, click Delete. You can always regenerate a link if you need one in the future.

Step 3: Assign users to your Okta application

On the page for your Okta app integration, open the Assignments tab. Ensure that all users who will use Astro are assigned to the integration. For more information, see Assign applications to users.

Step 4: (Optional) Configure SCIM provisioning

SCIM provisioning allows you to manage Astro users from your identity provider platform. See Set up SCIM provisioning for setup steps.

Advanced setup

Configure just-in-time provisioning

Astro supports just-in-time provisioning by default for all single sign-on (SSO) integrations. This means that if someone without an Astro account tries logging into Astro with an email address from a domain that you manage, they are automatically granted a default role in your Organization without needing an invite. Users with emails outside of this domain need to be invited to your Organization to access it.

To enable or disable just-in-time provisioning:

  1. In the Astro UI, click your Workspace name in the upper left corner, click Organization Settings, then click Authentication.

  2. In the SSO Configuration menu, click the pencil icon to edit your SSO connection.

  3. In Automatic Membership, select the default Organization role for users who log in to Astro for the first time through your identity provider. To disable just-in-time provisioning, select Disabled.

Restrict authentication options

This feature is available only if you are on the Business tier or above.

By default, users can choose any of the available authentication methods when logging into Astro. You can remove specific authentication options, such as GitHub or Google, so that users can use only the methods that your Organization wants to support, like your third party identity provider.

  1. In the Astro UI, click your Workspace name in the upper left corner, click Organization Settings, then click Authentication.
  2. In the Advanced Settings menu, click Allow only Single Sign-On (SSO).

Regenerating your SSO bypass link voids your existing SSO bypass link so that any former users with the existing link can't log in to Astro.

  1. In the Astro UI, click the Settings tab.

  2. Click Regenerate to create a new bypass link and void the old one.

Was this page helpful?

Sign up for Developer Updates

Get a summary of new Astro features once a month.

You can unsubscribe at any time.
By proceeding you agree to our Privacy Policy, our Website Terms and to receive emails from Astronomer.