Single Sign-On (SSO)

AuraDB Virtual Dedicated Cloud AuraDS Enterprise AuraDB Business Critical

SSO levels

Organization admins can configure organization level SSO (org SSO) and tenant level SSO (tenant SSO). SSO is a log-in method and access, roles, and permissions are dictated by role-based access control (RBAC).

  • Org SSO: Allows org admins to restrict how users log in when they are trying to access the org. Access beyond log-in is managed via RBAC.

  • Tenant level SSO: Impacts new database instances created within that tenant. It ensures users logging in with SSO have access to the database instances within the tenant. It depends on RBAC if the user can access and view or modify data within the database instances themselves. For this level, the role mapping may be used to grant users different levels of access based on a role in their identity provider (IdP). It does not give access to edit the tenant settings, for example to edit the tenant name, network access, or to edit the instance settings such as to rename an instance, or pause and resume.

Log-in methods

Log-in methods are different for each SSO level. Administrators can configure a combination of one or more of the log-in methods.

Org SSO supports:

  • Email/password

  • Okta

  • Microsoft Entra ID

  • Google SSO (not Google Workspace SSO)

An organization’s administrator can add Aura as a log-in from a tile in an organization’s Apps Dashboard.

Tenant SSO supports:

  • User/password

  • Okta

  • Microsoft Entra ID

However, at the tenant level you cannot disable user/password, but at the org level you can disable email/password and Google SSO as long as you have at least one other custom SSO provider configured.

Setup requirements

Accessing Aura with SSO requires:

  • Authorization Code Flow

  • A publicly accessible IdP server

To configure SSO, go to Aura Console > Settings > SSO Configuration.

To create an SSO Configuration either a Discovery URI or a combination of Issuer, Authorization Endpoint, Token Endpoint and JWKS URI is required.

Individual instance level SSO configurations available from Support

Support can assist with:

  • Role mapping specific to a database instance

  • Custom groups claim besides groups

  • Updating SSO on already running instances

If you require support assistance, visit Customer Support and raise a support ticket including the following information:

  1. The Tenant ID of the tenants you want to use SSO for. See Tenants for more information on how to find your Tenant ID.

  2. The name of your IdP