We are thrilled to introduce a significant enhancement to TiDB Cloud’s security features: Organization Single-Sign-On (SSO) Authentication. This new feature streamlines enterprise authentication processes, enabling seamless integration with any Identity Provider (IdP) using Security Assertion Markup Language (SAML) or OpenID Connect (OIDC).
Enterprise authentication is crucial to securing access to resources and data within TiDB Cloud, a fully-managed Database-as-a-service (DBaaS) offering of TiDB. With Organization SSO, customers can expect centralized user management, enhanced security, improved experience on user onboarding, and better control over access policies.
Why Did We Build Organization SSO?
It boils down to the core needs of our enterprise customers during their security and compliance evaluation. A frequent yet important question enterprise IT admins ask is: Can their existing Identity Providers (IdPs) like Okta or Microsoft Azure AD manage user authentication in TiDB Cloud?
This question can then be unpacked into several more leading questions:
- Protocol compatibility: Does TiDB Cloud support widely-used authentication protocols such as SAML or OIDC for connecting with enterprise IdPs?
- Simplified user onboarding: Is there a more streamlined process to onboard new users into TiDB Cloud beyond the manual invitation method?
- Immediate access revocation: Can access to TiDB Cloud be revoked instantly for users when they leave the organization?
- Enhanced authentication: Does TiDB Cloud support two-factor authentication (2FA) or multi-factor authentication (MFA) for added security while users sign into TiDB Cloud?
- Enforcing password policies: Is it possible to mandate an enterprise-compliant password policy across all users within the TiDB Cloud organization?
- Authentication method uniformity: Can we ensure organization users adhere to one authentication method for TiDB Cloud, disabling other methods?
- User group synchronization: Is there a mechanism to sync user groups from enterprise Identity Provider (IdP) to TiDB Cloud?
We designed Organization SSO with these pivotal enterprise needs in mind, aiming to enhance both security and operational efficiency.
What Does Organization SSO Mean for You?
TiDB Cloud Organization SSO is meticulously crafted to address the intricacies of enterprise authentication, prioritizing robust security and compliance.
Seamless Integration with Your Chosen Identity Providers
Using protocols like SAML and OIDC, Organization SSO allows effortless links with users’ preferred identity providers such as Okta and Azure Active Directory. Once configured, users can sign in to TiDB Cloud using the password policy, MFA, and other security enforcements inherited from the identity provider.
Figure 1. Choose Your Identity Providers
Customized Authentication to Fit Your Organization’s Needs
As an organization owner, you can tailor the authentication methods for a TiDB Cloud organization. For instance, specify SAML via Okta for employees and Google for consultants and customize the specifics at the organizational level. At the same time, the owner can disable other protocols, such as Microsoft and Github. As a result, we can get a customized organization sign-in page as shown below:
Figure 2. Sign-in Page
Auto-Provisioning and Allowed Email Domains
Organization SSO streamlines the user onboarding experience through auto-provisioning. This allows for automatic account creation when users first sign in using their enterprise’s authentication method. Organization owners or project owners need not manually go through the time-consuming invitation process for every new user.
To ensure auto-provisioning security, organization owners can set up specific email domains only with the users who are allowed to sign in to TiDB Cloud.
SCIM over SAML
Organization SSO supports System for Cross-domain Identity Management (SCIM) over SAML to automate user provisioning and de-provisioning. This simplifies the management of groups of users.
Elevating Security and Efficiency with Organization SSO
The introduction of Organization Single-Sign-On (SSO) for TiDB Cloud marks a significant stride in our commitment to provide top-tier security and streamlined operational efficiency for enterprise users. By addressing the core needs of our customers in security and compliance, as well as integrating seamlessly with popular Identity Providers, we’re not just enhancing the security of TiDB Cloud. We’re also transforming the user experience.
Organization SSO is now available for TiDB Serverless and TiDB Dedicated, two TiDB Cloud deployment options. If you have yet to explore them, you can get started for free by creating a TiDB Serverless cluster.
Spin up a Serverless database with 25GiB free resources.
TiDB Cloud Dedicated
A fully-managed cloud DBaaS for predictable workloads
TiDB Cloud Serverless
A fully-managed cloud DBaaS for auto-scaling workloads