Single sign-on overview #
These pages describe how administrators can configure your site’s single sign-on (SSO) identity provider to include Starburst Galaxy as a supported application. This allows users to log in to the identity provider, after which access to Galaxy proceeds without further login prompts.
- Azure Active Directory
- Google Workspace
SAML authentication #
Starburst Galaxy supports IdPs that implement Security Assertion Markup Language (SAML) 2.0 authentication. SAML is an open standard for transferring identity data between an identity provider and a service provider, using XML data structures and HTTP/S, or SOAP, as data transport mechanisms.
SCIM support #
If the IdP supports it, you can also configure the IdP and Galaxy to exchange user and group information through System for Cross-domain Identity Management (SCIM), which is a standard protocol for automating the exchange of user identity information between identity domains.
With SCIM configured, the IdP can push changes in user and group membership, including deletions, to a Starburst Galaxy account configured to receive that information. This can occur on a regular schedule, or as changes happen, or administrators can request an on-demand update.
Galaxy administrators are still in charge of assigning individual users and groups to roles, and are thereby still in charge of how much each user or group of users can do and see in Galaxy.
Configuration overview #
The overall steps to configure Galaxy to use a supported SSO IdP are the following:
Begin creating an SSO configuration in Galaxy. The first step is SAML.
Copy the Galaxy SAML information to your IdP. This allows your IdP to generate and present you with the information needed by Galaxy.
Copy the IdP SAML information back to Galaxy.
Now you’re done with SAML, next is SCIM.
Go to your IdP and enable SCIM. Enter the Galaxy SCIM information.
Test the new configuration.
Configuration details #
See the following pages for IdP-specific configuration details.
- Okta SAML setup
- Azure AD SAML setup
- Generic IdP that supports the SAML protocol, including PingID, Auth0, or a custom IdP.
Is the information on this page helpful?