Skip to main content

SAML Single Sign-On

SAML single sign-on (SSO) lets organization members sign in to the VeloDB Cloud console through a corporate identity provider. VeloDB Cloud acts as the SAML Service Provider (SP), and your identity provider acts as the Identity Provider (IdP).

SAML SSO applies to console access for one organization. It does not authenticate warehouse users, SQL clients, or Cloud API requests.

Supported identity providers

VeloDB Cloud supports SAML 2.0 integrations with the following identity providers:

Identity providerSetup guide
OktaConfigure SAML SSO with Okta
Google WorkspaceConfigure SAML SSO with Google Workspace
Microsoft Entra IDConfigure SAML SSO with Microsoft Entra ID
Cisco DuoConfigure SAML SSO with Cisco Duo

Prerequisites

Before you configure SAML SSO, make sure that:

  • Your organization uses the Premium plan.
  • You are an Organization Admin in VeloDB Cloud.
  • You can create and assign a SAML application in your identity provider.
  • You can create DNS TXT records for at least one corporate email domain.
  • Your identity provider provides a publicly accessible HTTPS SAML metadata URL.
  • You have configured any required MFA policies in your identity provider.
  • At least one Organization Admin retains access while you configure and test SSO.

Configuration workflow

The SAML SSO setup wizard has five steps:

  1. Add Application: Copy the VeloDB Cloud Single Sign-On URL and Service Provider Entity ID into your identity provider.
  2. Configure Identity Provider: Import the identity provider's HTTPS SAML metadata URL.
  3. Verify Domain: Verify a corporate email domain, select a default role, and configure JIT provisioning.
  4. Test SSO Login: Complete a test sign-in through the identity provider.
  5. Enable SSO: Enable SSO while retaining other sign-in methods.

To start the wizard:

  1. Sign in to VeloDB Cloud as an Organization Admin.
  2. Click your profile area in the bottom-left corner of the console to open the account menu, then select Authentication.
  3. Turn on SAML Single Sign-on.

Turning on the setting opens the setup wizard. SSO is not available to members until you complete the wizard and select Enable SSO.

Verified domains

You must verify at least one corporate email domain before you can enable SAML SSO. Domain verification establishes that your organization controls the email domain used by SSO members.

In the Verify Domain step:

  1. Select Add Domain, and enter the domain without @, for example, example.com.
  2. At your DNS provider, create a TXT record using the TXT Record Name and Record Value displayed by VeloDB Cloud.
  3. Wait for the DNS change to propagate.
  4. In VeloDB Cloud, select Verify for the domain.

Public email domains, such as gmail.com and outlook.com, cannot be used as verified domains.

JIT provisioning

Just-in-time (JIT) provisioning controls whether VeloDB Cloud creates a user and organization membership after a successful SAML sign-in.

PolicyBehavior
Verified domain onlyCreates users only when their email address belongs to a verified domain. This is the recommended policy.
Allow All SSO UsersCreates users whom the identity provider allows to authenticate, regardless of their email domain.
Disable Automatic ProvisioningAllows only existing active organization members to sign in with SAML.

New members created through JIT provisioning receive the Default Role selected during setup. Select the least-privileged role required for new members. SAML group attributes do not change or assign VeloDB Cloud roles.

Caution With Allow All SSO Users, any user whom the identity provider permits to authenticate can be provisioned in the organization. Restrict application assignments in the identity provider before selecting this policy.

Test SSO

Test SSO before enabling it for your organization. The test validates the SAML request, response, certificate, Entity ID, ACS URL, and user email without creating a new member or a persistent organization SSO session.

To run the test:

  1. In the Test SSO Login step, select Test SSO Login.
  2. Sign in through your identity provider using an account assigned to the SAML application.
  3. Confirm that VeloDB Cloud reports SSO Test Successful.

Changing the identity provider metadata URL requires another successful test before SSO can be enabled again.

Enable and enforce SSO

VeloDB Cloud provides two access policies:

Access policyBehavior
Enable SSOMakes SAML SSO available while retaining password and verification-code sign-in. Users whose email matches a verified domain are normally directed to the identity provider.
Enforce SSORequires a valid SAML sign-in before a member can access the organization.

Safely enforce SSO

Do not enforce SSO during the initial setup. First confirm that an Organization Admin can complete a regular SAML sign-in and access the organization.

  1. Complete Test SSO Login.
  2. Select Enable SSO.
  3. Sign out, and sign in again through SAML with an active Organization Admin account.
  4. Confirm that the administrator can access the organization and open Authentication.
  5. Open the SAML SSO configuration, select Configure next to Enable SSO, choose Enforce SSO, and confirm the change.

VeloDB Cloud prevents enforcement until at least one active Organization Admin has completed a regular SAML sign-in.

Sign in after SSO is enabled

Members normally sign in at https://www.velodb.cloud:

  1. Enter an email address associated with a verified domain.
  2. Continue to the identity provider.
  3. Authenticate with the identity provider.
  4. Return to VeloDB Cloud.

VeloDB Cloud supports Service Provider-initiated sign-in only. Members should start sign-in from VeloDB Cloud, not from an identity provider application tile.

When SSO is enabled but not enforced, members can use the email sign-in page to sign in with a password or verification code. This page does not bypass SSO enforcement: a password-authenticated session cannot access an organization that enforces SSO.

MFA with SAML SSO

The identity provider is responsible for authentication policies and MFA during a SAML sign-in. SAML-authenticated members are not prompted for VeloDB Cloud MFA after returning from the identity provider. Configure and enforce the required MFA policy in your identity provider before enabling SSO.

Organization-wide VeloDB Cloud MFA continues to apply to password and verification-code sign-ins. It does not add another MFA challenge to SAML sign-ins.

Manage SSO members

VeloDB Cloud does not synchronize member lifecycle or role changes from the identity provider. Removing an application assignment, disabling an identity provider account, or changing group membership does not remove the existing VeloDB Cloud organization membership or change its role.

When you offboard a member, revoke access to the SAML application in the identity provider and remove the member from the VeloDB Cloud organization on the Members page. Review JIT-provisioned members regularly and assign the least-privileged role required.

Manage or disable SSO

To review or change the configuration, open Authentication and select View Configuration for SAML SSO. Use Configure next to an editable step to change its settings.

Warning Changing the identity provider metadata URL disables SSO and invalidates the previous SSO test. Keep an active Organization Admin session open, run Test SSO Login again, and re-enable SSO before ending the session.

To disable SSO, turn off SAML Single Sign-on on the Authentication page and confirm the change. Disabling SSO retains the configuration but removes the SAML requirement from the organization.

Troubleshooting

IssueRecommended action
VeloDB Cloud cannot import the metadata URL.Confirm that the URL uses HTTPS, is publicly accessible, and returns valid SAML metadata containing an Identity Provider Entity ID, an SSO service, and an active signing certificate.
The SSO test returns to VeloDB Cloud with an error.Confirm that the ACS URL and Service Provider Entity ID in the identity provider match the values for the same VeloDB Cloud organization.
VeloDB Cloud cannot identify the member.Configure the SAML NameID or the email attribute with the member's VeloDB Cloud email address.
A member cannot start SSO.Confirm that SSO is enabled and that the member is assigned to the SAML application in the identity provider.
A new member is not created.Review the JIT provisioning policy, the verified domain, and the default role.
Enforce SSO is rejected.Enable SSO first, and have an active Organization Admin complete a regular SAML sign-in before enforcing SSO.

Current limitations

  • An organization can have one SAML identity provider configuration.
  • Identity Provider-initiated SSO is not supported.
  • SAML Single Logout is not supported. Signing out of the identity provider does not terminate an existing VeloDB Cloud session, and signing out of VeloDB Cloud does not sign the member out of the identity provider.
  • SCIM provisioning is not supported.
  • SAML group-to-role mapping is not supported.
  • SAML SSO does not apply to warehouse credentials or Cloud API keys.