starburst galaxy > security and compliance > manage galaxy access > manage sso integration > Single sign-on basics

Single sign-on basics #

Note: These SSO setup pages are meant for Starburst Galaxy administrators. You must also have admin access to your IdP’s configuration site. Familiarity with SSO concepts is presumed.

These pages describe how administrators can configure your site’s single sign-on (SSO) identity provider to include Starburst Galaxy as a supported application. This allows users to log in to the identity provider, after which access to Galaxy proceeds without further login prompts.

Galaxy supports three identity providers (IdPs). See configuration details for the steps to configure one of these IdPs:

Okta
Microsoft Entra ID
Google Workspace
Generic provider that supports the SAML protocol, such as PingID, Auth0, or a custom IdP.

SAML authentication #

Starburst Galaxy supports IdPs that implement Security Assertion Markup Language (SAML) 2.0 authentication. SAML is an open standard for transferring identity data between an identity provider and a service provider, using XML data structures and HTTP/S, or SOAP, as data transport mechanisms.

SCIM support #

If the IdP supports it, you can also configure the IdP and Galaxy to exchange user and group information through System for Cross-domain Identity Management (SCIM), which is a standard protocol for automating the exchange of user identity information between identity domains.

With SCIM configured, the IdP can push changes in user and group membership, including deletions, to a Starburst Galaxy account configured to receive that information. This can occur on a regular schedule, or as changes happen, or administrators can request an on-demand update.

Galaxy administrators are still in charge of assigning individual users and groups to roles, and are thereby still in charge of how much each user or group of users can do and see in Galaxy.

Galaxy supports a subset of all SCIM fields. If the SCIM integration is configured to send unsupported fields, they will be ignored. Galaxy supports the following SCIM fields: userName, active, displayName, name.givenName, name.familyName, name.honorificPrefix, name.honorificSuffix and password.

Note: When you configure SCIM and add a group, all users assigned to the group receive an email notification inviting them to join Starburst Galaxy.

Configuration overview #

The overall steps to configure Galaxy to use a supported SSO IdP are the following:

Begin creating an SSO configuration in Galaxy. The first step is SAML.
Copy the Galaxy SAML configuration strings to your IdP. This allows your IdP to generate and present you with the information needed by Galaxy.
Copy the IdP SAML configuration strings back to Galaxy.
Now you’re done with SAML, next is SCIM.
Go to your IdP and enable SCIM. Enter the Galaxy SCIM information.
Test the new configuration.

Configuration details #

See the following pages for IdP-specific configuration details.

Okta SAML setup
Okta SCIM setup
Azure SAML setup
Azure SCIM setup
Google Workspace SAML setup
Generic IdP that supports the SAML protocol, including PingID, Auth0, or a custom IdP.

Starburst Galaxy supports SSO client access with the Trino CLI, JDBC driver, and ODBC driver.

Disabling or enabling direct logins #

You can disable or enable a user’s ability to log in directly to Starburst Galaxy with their username and password. Disabling direct logins ensures that users can only log in to Starburst Galaxy via SSO.

After you have implemented and thoroughly tested your SSO integration with Galaxy, you can grant or revoke the Allow username/password login account-level privilege for any role. Revoking the Allow username/password login privilege from a role prevents users who can assume that role from bypassing SSO and logging in to Galaxy directly with a username and password. Conversely, granting the privilege allows users who are able to assume that role to log in directly.

If a user is able to assume any role that has the Allow username/password login privilege, they are able to log in to Galaxy directly with a username and password, regardless of their default role.

This privilege is only visible on Galaxy accounts with SSO enabled or previously enabled. By default it is granted to the public and accountadmin roles.

Because most users are required to authenticate through SSO, Starburst recommends revoking this privilege for widely-used roles such as public and strongly recommends retaining this privilege for the accountadmin role. If you do not retain this privilege for the accountadmin role, consider granting this privilege to specific roles that manage SSO or security systems. In the event that a problem occurs with your SSO configuration, admins should retain the ability to bypass SSO and log in to Galaxy directly to debug.

For more information on granting and revoking privileges, see Roles and privileges pane.

Other useful resources:

Is the information on this page helpful?

Yes

Cancel

Single sign-on basics