starburst galaxy > security and compliance > manage galaxy access > manage sso integration > Single sign-on basics

Single sign-on basics #

Note: These SSO setup pages are meant for Starburst Galaxy administrators. You must also have admin access to your IdP’s configuration site. Familiarity with SSO concepts is presumed.

These pages describe how administrators can configure your site’s single sign-on (SSO) identity provider to include Starburst Galaxy as a supported application. This allows users to log in to the identity provider, after which access to Galaxy proceeds without further login prompts.

Galaxy supports three identity providers (IdPs). See configuration details for the steps to configure one of these IdPs:

Okta
Microsoft Entra ID
Google Workspace
Generic provider that supports the SAML protocol, such as PingID, Auth0, or a custom IdP.

SAML authentication #

Starburst Galaxy supports IdPs that implement Security Assertion Markup Language (SAML) 2.0 authentication. SAML is an open standard for transferring identity data between an identity provider and a service provider, using XML data structures and HTTP/S, or SOAP, as data transport mechanisms.

SCIM support #

If the IdP supports it, you can also configure the IdP and Galaxy to exchange user and group information through System for Cross-domain Identity Management (SCIM), which is a standard protocol for automating the exchange of user identity information between identity domains.

With SCIM configured, the IdP can push changes in user and group membership, including deletions, to a Starburst Galaxy account configured to receive that information. This can occur on a regular schedule, or as changes happen, or administrators can request an on-demand update.

Galaxy administrators are still in charge of assigning individual users and groups to roles, and are thereby still in charge of how much each user or group of users can do and see in Galaxy.

Galaxy supports a subset of all SCIM fields. If the SCIM integration is configured to send unsupported fields, they will be ignored. Galaxy supports the following SCIM fields: userName, active, displayName, name.givenName, name.familyName, name.honorificPrefix, name.honorificSuffix and password.

Configuration overview #

The overall steps to configure Galaxy to use a supported SSO IdP are the following:

Begin creating an SSO configuration in Galaxy. The first step is SAML.
Copy the Galaxy SAML configuration strings to your IdP. This allows your IdP to generate and present you with the information needed by Galaxy.
Copy the IdP SAML configuration strings back to Galaxy.
Now you’re done with SAML, next is SCIM.
Go to your IdP and enable SCIM. Enter the Galaxy SCIM information.
Test the new configuration.

Configuration details #

See the following pages for IdP-specific configuration details.

Okta SAML setup
Okta SCIM setup
Azure SAML setup
Azure SCIM setup
Google Workspace SAML setup
Generic IdP that supports the SAML protocol, including PingID, Auth0, or a custom IdP.

Starburst Galaxy supports SSO client access with the Trino CLI, JDBC driver, and ODBC driver.

Other useful resources:

Is the information on this page helpful?

Yes

Cancel

Single sign-on basics