Product Update: SSO for InfluxDB Cloud Dedicated

By Scott Anderson / Product,
Jun 10, 2024

InfluxDB Cloud Dedicated is a fully-managed InfluxDB offering that lets you run enterprise-grade workloads on cloud infrastructure dedicated to your workload and your workload alone. A common request from those running enterprise-grade workloads on InfluxDB is the ability to use single sign-on (“SSO”) to authorize access to InfluxDB. SSO is now available as a paid option for InfluxDB Cloud Dedicated clusters.

What is SSO?

SSO is a delegated authentication system that allows team members to access multiple applications using a single set of credentials managed by a corporate Identity Provider (“IdP”). When a team member logs into an application using SSO, their corporate IdP validates their credentials, which authenticates access back to the application. In this way, SSO simplifies access for team members while also reducing administrative overhead. SSO has the following additional benefits:

• Reduces username/password fatigue
• Decreases risk of weak passwords and password reuse
• Reduces friction accessing multiple systems
• Reduces login issues and support requests
• Simplifies administration and security enforcement

SSO is now offered on InfluxDB Cloud Dedicated so that you can enjoy these benefits with InfluxDB V3; your administrators can grant/revoke access to your cluster the same way that they would administer access to any of your other systems.

SSO with InfluxDB Cloud Dedicated

When using SSO with InfluxDB Cloud Dedicated, you connect your identity provider to the InfluxData-managed Auth0 service. When a user attempts to authorize using your InfluxDB Cloud Dedicated cluster, the following occurs:

1. InfluxDB sends an authentication request to the InfluxData-managed Auth0 service.
2. Auth0 sends the provided credentials to your identity provider.
3. Your identity provider grants or denies authorization based on the provided credentials and returns the appropriate response to Auth0.
4. Auth0 returns the authorization response to InfluxDB Cloud Dedicated which grants or denies access to the user.

Your identity provider manages access to your cluster. Once you grant a user access through your identity provider, they have administrative access to your InfluxDB Cloud Dedicated cluster.

Set up SSO for your cluster

1. Contact InfluxData sales to begin the process of enabling SSO on your dedicated cluster. They will gather the information necessary to start your SSO implementation.
2. If you haven’t already, set up your identity provider. For information about setting up your identity provider, refer to your identity provider’s documentation.

   Note: To use SSO with InfluxDB Cloud Dedicated, you must use an identity provider supported by Auth0.

3. Create a new application or client in your identity provider to use with Auth0 and your InfluxDB Cloud Dedicated cluster. Refer to your identity provider’s documentation for more information.
4. Provide the necessary connection credentials to InfluxData support. What credentials are needed depends on your identity provider and your protocol. For example:

   Protocol	Required credentials
   OIDC	Client secret
   SAML	Identity provider certificate

   InfluxData support will provide more information about the specific credentials required.
5. Add the InfluxData Auth0 connection URL as a valid callback URL to your identity provider application. This is also sometimes referred to as a “post-back” URL.

https://auth.influxdata.com/login/callback

With the callback URL in place, you can test the integration by attempting to authorize with your InfluxDB Cloud Dedicated cluster. The quickest way to authorize is to use any of the influxctl commands.

Once working, you can manage all access to your InfluxDB Cloud Dedicated cluster through your identity provider.

For more information about SSO with InfluxDB Cloud Dedicated, see the InfluxDB Cloud Dedicated SSO documentation.

Learn more about InfluxDB Cloud Dedicated.