Documentation

InfluxDB Cloud Dedicated

Set up and use single sign-on (SSO)

InfluxDB Cloud Dedicated supports single sign-on (SSO) integrations through the use of Auth0 and your identity provider of choice. Use SSO to provide users seamless access to your InfluxDB Cloud Dedicated cluster with an existing set of credentials.

Contact InfluxData sales to enable SSO

SSO is a paid upgrade to your InfluxDB Cloud Dedicated cluster. To begin the process of enabling SSO, contact InfluxData Sales:

Contact InfluxData Sales

SSO authorization flow

With SSO enabled, whenever a user attempts to log into your InfluxDB Cloud Dedicated cluster, the following occurs:

  1. InfluxDB sends an authentication request to the InfluxData-managed Auth0 service.
  2. Auth0 sends the provided credentials to your identity provider.
  3. Your identity provider grants or denies authorization based on the provided credentials and returns the appropriate response to Auth0.
  4. Auth0 returns the authorization response to InfluxDB Cloud Dedicated which grants or denies access to the user.
InfluxDB Cloud Dedicated
Auth0
Identity Provider

Set up your identity provider

For information about setting up and configuring your identity provider, refer to your identity provider’s documentation. You can use any identity provider supported by Auth0:

Connect your identity provider to Auth0

To integrate your identity provider with the InfluxData-managed Auth0 service:

  1. Create a new application or client in your identity provider to use with Auth0 and your InfluxDB Cloud Dedicated cluster.

  2. Provide the necessary connection credentials to InfluxData support. What credentials are needed depends on your identity provider and the protocol you’re using. For example:

    Protocol Required credentials
    OIDC Client secret
    SAML Identity provider certificate

    InfluxData support will provide you with more information about what specific credentials are required.

  3. Add the InfluxData Auth0 connection URL as a valid callback URL to your identity provider application. This is also sometimes referred to as a “post-back” URL.

    https://auth.influxdata.com/login/callback

With the callback URL in place, you’re free to test the integration by logging into your InfluxDB Cloud Dedicated cluster.

Manage users in your identity provider

Once SSO is set up, login access to your InfluxDB Cloud Dedicated cluster is managed through your identity provider. All users have administrative access.

For information about managing users in your identity provider, view your identity provider’s documentation.

Ongoing maintenance

Your SSO integration may require ongoing maintenance to continue to function properly. For example:

  • You’re using OIDC and you update your client secret: Provide the new secret to InfluxData support for updating in the InfluxData-managed Auth0 service.

    Keep client secrets secure

    InfluxData provides a secure method for transmitting sensitive secrets such as an OIDC client secret. Never send your client secret to InfluxData using an insecure method.

  • You’re using SAML and your identity provider certificate is rotated: Provide the new certificate to InfluxData support for updating in the InfluxData-managed Auth0 service.

    SAML certificate rotation

    Some identity providers that support SAML are known to rotate certificates often. Each time the certificate is rotated, you must provide the updated certificate to InfluxData support. Consider this when selecting an identity provider and protocol to use.

Troubleshooting

The most common issues with SSO integrations occur when credentials related to your identity provider change and need to be updated in the InfluxData-managed Auth0 service (see Ongoing maintenance).

When encountered, SSO integration errors return a 500 error code the browser. Error details are included in the URL as a the following query parameters:

  • error
  • error_description
  • state

Invalid thumbprint

The Invalid thumbprint error description indicates that the certificate used for SAML connections does not match the certificated configured in the InfluxData-managed Auth0 service.

  • error: access_denied
  • error_description: Invalid thumbprint (configured: XXXXXXXX. calculated: YYYYYYYY)

Cause

The configured certificate is the certificate used by Auth0. The calculated certificate is the certificate used by your identity provider. If these certificates do not match, Auth0 will not authorize the request. This most likely means that the certificate was rotated by your identity provider and the new certificate needs to be added to Auth0.

Solution

Provide your updated certificate to InfluxData support and they will add it to Auth0.

Was this page helpful?

Thank you for your feedback!

© 2024 InfluxData, Inc.

What is your InfluxDB Cloud Dedicated cluster URL?

Enter your InfluxDB Cloud Dedicated cluster URL and we’ll update code examples for you.

Enter cluster URL

Thank you for your feedback!

Let us know what we can do better:

Thank you!

No thanks

The future of Flux

Flux is going into maintenance mode. You can continue using it as you currently are without any changes to your code.

Flux is going into maintenance mode and will not be supported in InfluxDB 3.0. This was a decision based on the broad demand for SQL and the continued growth and adoption of InfluxQL. We are continuing to support Flux for users in 1.x and 2.x so you can continue using it with no changes to your code. If you are interested in transitioning to InfluxDB 3.0 and want to future-proof your code, we suggest using InfluxQL.

For information about the future of Flux, see the following: