- Release Notes
- Get Started
- Clusters
- Cloud Settings
- Table Type
- Query Data Lakes
- Integration
- Query Acceleration
- Data Loading
- Concepts
- Batch load data from Amazon S3
- Batch load data from Azure cloud storage
- Load data from a local file system
- Load data from Confluent Cloud
- Load data from Amazon MSK
- Load data from Amazon Kinesis
- Data Unloading
- Data Backup
- Security
- Console Access Control
- Data Access Control
- Application keys
- Service accounts
- Use SSL connection
- Alarm
- Usage and Billing
- Organizations and Accounts
- Reference
- Amazon Web Services (AWS)
- Microsoft Azure
- SQL Reference
- Keywords
- ALL statements
- User Account Management
- Cluster Management
- ADMIN CANCEL REPAIR
- ADMIN CHECK TABLET
- ADMIN REPAIR
- ADMIN SET CONFIG
- ADMIN SET REPLICA STATUS
- ADMIN SHOW CONFIG
- ADMIN SHOW REPLICA DISTRIBUTION
- ADMIN SHOW REPLICA STATUS
- ALTER RESOURCE GROUP
- ALTER SYSTEM
- CANCEL DECOMMISSION
- CREATE FILE
- CREATE RESOURCE GROUP
- DROP FILE
- DROP RESOURCE GROUP
- EXPLAIN
- INSTALL PLUGIN
- SET
- SHOW BACKENDS
- SHOW BROKER
- SHOW COMPUTE NODES
- SHOW FRONTENDS
- SHOW FULL COLUMNS
- SHOW INDEX
- SHOW PLUGINS
- SHOW PROCESSLIST
- SHOW RESOURCE GROUP
- SHOW TABLE STATUS
- SHOW FILE
- SHOW VARIABLES
- UNINSTALL PLUGIN
- DDL
- ALTER DATABASE
- ALTER MATERIALIZED VIEW
- ALTER TABLE
- ALTER VIEW
- ANALYZE TABLE
- BACKUP
- CANCEL ALTER TABLE
- CANCEL BACKUP
- CANCEL RESTORE
- CREATE ANALYZE
- CREATE DATABASE
- CREATE EXTERNAL CATALOG
- CREATE INDEX
- CREATE MATERIALIZED VIEW
- CREATE REPOSITORY
- CREATE TABLE AS SELECT
- CREATE TABLE LIKE
- CREATE TABLE
- CREATE VIEW
- CREATE FUNCTION
- DROP ANALYZE
- DROP STATS
- DROP CATALOG
- DROP DATABASE
- DROP INDEX
- DROP MATERIALIZED VIEW
- DROP REPOSITORY
- DROP TABLE
- DROP VIEW
- DROP FUNCTION
- KILL ANALYZE
- RECOVER
- REFRESH EXTERNAL TABLE
- RESTORE
- SET CATALOG
- SHOW ANALYZE JOB
- SHOW ANALYZE STATUS
- SHOW META
- SHOW FUNCTION
- TRUNCATE TABLE
- USE
- DML
- ALTER LOAD
- ALTER ROUTINE LOAD
- BROKER LOAD
- CANCEL LOAD
- CANCEL EXPORT
- CANCEL REFRESH MATERIALIZED VIEW
- CREATE ROUTINE LOAD
- DELETE
- EXPORT
- GROUP BY
- INSERT
- PAUSE ROUTINE LOAD
- RESUME ROUTINE LOAD
- REFRESH MATERIALIZED VIEW
- SELECT
- SHOW ALTER
- SHOW ALTER MATERIALIZED VIEW
- SHOW BACKUP
- SHOW CATALOGS
- SHOW CREATE CATALOG
- SHOW CREATE MATERIALIZED VIEW
- SHOW CREATE TABLE
- SHOW CREATE VIEW
- SHOW DATA
- SHOW DATABASES
- SHOW DELETE
- SHOW DYNAMIC PARTITION TABLES
- SHOW EXPORT
- SHOW LOAD
- SHOW MATERIALIZED VIEW
- SHOW PARTITIONS
- SHOW REPOSITORIES
- SHOW RESTORE
- SHOW ROUTINE LOAD
- SHOW ROUTINE LOAD TASK
- SHOW SNAPSHOT
- SHOW TABLES
- SHOW TABLET
- SHOW TRANSACTION
- STOP ROUTINE LOAD
- STREAM LOAD
- SUBMIT TASK
- UPDATE
- Auxiliary Commands
- Data Types
- Keywords
- SQL Functions
- Function list
- Java UDFs
- Window functions
- Lambda expression
- Date Functions
- add_months
- adddate
- convert_tz
- current_date
- current_time
- current_timestamp
- date
- date_add
- date_diff
- date_format
- date_slice
- date_sub, subdate
- date_trunc
- datediff
- day
- dayofweek_iso
- dayname
- dayofmonth
- dayofweek
- dayofyear
- days_add
- days_diff
- days_sub
- from_days
- from_unixtime
- hour
- hours_add
- hours_diff
- hours_sub
- jodatime_format
- last_day
- makedate
- microseconds_add
- microseconds_sub
- minute
- minutes_add
- minutes_diff
- minutes_sub
- month
- monthname
- months_add
- months_diff
- months_sub
- next_day
- now
- previous_day
- quarter
- second
- seconds_add
- seconds_diff
- seconds_sub
- str_to_date
- str_to_jodatime
- str2date
- time_slice
- time_to_sec
- timediff
- timestamp
- timestampadd
- timestampdiff
- to_date
- to_days
- to_iso8601
- to_tera_date
- to_tera_timestamp
- unix_timestamp
- utc_timestamp
- week
- week_iso
- weekofyear
- weeks_add
- weeks_diff
- weeks_sub
- year
- years_add
- years_diff
- years_sub
- Aggregate Functions
- any_value
- approx_count_distinct
- array_agg
- avg
- bitmap
- bitmap_agg
- count
- count_if
- corr
- covar_pop
- covar_samp
- group_concat
- grouping
- grouping_id
- hll_empty
- hll_hash
- hll_raw_agg
- hll_union
- hll_union_agg
- max
- max_by
- min
- min_by
- multi_distinct_sum
- multi_distinct_count
- percentile_approx
- percentile_cont
- percentile_disc
- retention
- stddev
- stddev_samp
- sum
- variance, variance_pop, var_pop
- var_samp
- window_funnel
- Geographic Functions
- String Functions
- append_trailing_char_if_absent
- ascii
- char
- char_length
- character_length
- concat
- concat_ws
- ends_with
- find_in_set
- group_concat
- hex
- hex_decode_binary
- hex_decode_string
- instr
- lcase
- left
- length
- locate
- lower
- lpad
- ltrim
- money_format
- null_or_empty
- parse_url
- repeat
- replace
- reverse
- right
- rpad
- rtrim
- space
- split
- split_part
- substring_index
- starts_with
- strleft
- strright
- str_to_map
- substring
- trim
- ucase
- unhex
- upper
- url_decode
- url_encode
- Pattern Matching Functions
- JSON Functions
- Overview of JSON functions and operators
- JSON operators
- JSON constructor functions
- JSON query and processing functions
- Bit Functions
- Bitmap Functions
- Array Functions
- all_match
- any_match
- array_agg
- array_append
- array_avg
- array_concat
- array_contains
- array_contains_all
- array_cum_sum
- array_difference
- array_distinct
- array_filter
- array_generate
- array_intersect
- array_join
- array_length
- array_map
- array_max
- array_min
- array_position
- array_remove
- array_slice
- array_sort
- array_sortby
- array_sum
- arrays_overlap
- array_to_bitmap
- cardinality
- element_at
- reverse
- unnest
- Map Functions
- Binary Functions
- cast function
- hash function
- Cryptographic Functions
- Math Functions
- Pattern Matching Functions
- Percentile Functions
- Scalar Functions
- Struct Functions
- Table Functions
- Utility Functions
- AUTO_INCREMENT
- Generated columns
- System variables
- System limits
- Information Schema
- Overview
- be_bvars
- be_cloud_native_compactions
- be_compactions
- character_sets
- collations
- column_privileges
- columns
- engines
- events
- global_variables
- key_column_usage
- load_tracking_logs
- loads
- materialized_views
- partitions
- pipe_files
- pipes
- referential_constraints
- routines
- schema_privileges
- schemata
- session_variables
- statistics
- table_constraints
- table_privileges
- tables
- tables_config
- task_runs
- tasks
- triggers
- user_privileges
- views
- System Metadatabase
- API
- Overview
- Actions
- Clusters
- Create and Manage Clusters
- Query Clusters
- Identity and Access Management
- Organization and Account
- Usage and Billing
- Clusters
- Terraform Provider
- Run scripts
Use SAML SSO
CelerData supports user authentication using Security Assertion Markup Language (SAML) single sign-on (SSO). SSO enables account administrators to authenticate CelerData members via a specific identity provider (IdP). This allows members to sign in to their CelerData cloud account without further login credentials after they log in to the IdP.
You can integrate CelerData with any generic IdP that supports the SAML 2.0 protocol.
NOTE
- Only account administrators can configure SSO.
- After SSO is enabled, the creator of an account can sign in to that account by using both their login credentials and SSO. The other members within that account can only sign in to that account by using SSO.
- Currently, CelerData clusters does not support integration with SSO. You need to create users within the cluster using SQL command. For more details, see Manage database users in a CelerData cluster.
Enable SSO
The following example uses Okta as the IdP. The setup procedure is the same for any other generic IdP that supports the SAML 2.0 protocol.
Step 1: Prepare CelerData Redirect URL
- Sign in to the CelerData Cloud BYOC console as the account administrator.
- In the left-side navigation pane, choose Account > Account settings.
- On the Single sign-on tab of the Account settings page, click Configure to display the Configure Single Sign-On(SSO) dialog box.
- In the Configure Single Sign-On(SSO) dialog box, select an SSO protocol that your IdP supports. Currently, only SAML 2.0 is supported.
- Click the Copy icon next to the displayed URL in the CelerData redirect URL field and save the URL properly.
NOTE
Do not close the CelerData Cloud BYOC console. You will need to complete further configurations on the console in the following steps.
Step 2: Set up your IdP
Follow these steps to set up your IdP:
Sign in to the Okta Administration console as a member with administrator privileges.
In the left-side navigation pane, choose Applications > Applications.
On the Applications page, click Create App Integration to display the Create a new app integration dialog box.
In the Create a new app integration dialog box, choose your suitable sign-in method. Currently, CelerData supports only SAML 2.0.
Click Next.
On the General Settings tab of the Create SAML Integration page, enter a name for your application, optionally upload an application logo, specify whether to enable application visibility, and click Next.
On the Configure SAML tab of the Create SAML Integration page, configure the SAML settings as follows:
a. Paste the CelerData redirect URL you have copied to the Single sign-on URL field.
b. Enter an Audience URI. An audience URI is the application-defined unique identifier that is the intended audience of the SAML assertion. This is most often the SP Entity ID of your application, for example,
urn:celerdata
.c. Choose EmailAddress from the Name ID format drop-down list.
d. Choose Email from the Application username drop-down list.
e. Choose Create and update from the Update application username on drop-down list.
f. Click Show Advanced Settings, and enter an SAML Issuer ID. It is a URL that starts with
http://www.okta.com/
plus an identifier at the end, for example,http://www.okta.com/celerdata
.g. You can leave the items that are not mentioned here unchanged, and click Next.
On the Feedback tab of the Create SAML Integration page, choose I'm an Okta customer adding an internal app, and click Finish.
Step 3: Prepare IdP settings
In the left-side navigation pane of the Okta console, choose Applications > Applications.
On the Applications page, click the application you have created to enter the application detail page.
In the SAML Settings section of the General tab, copy the SAML Issuer ID and save it properly.
In the App Embed Link section of the General tab, copy the embed link and save it properly.
In the SAML Signing Certificates section of the Sign On tab, choose an active certificate, and choose Download certificate from the Actions drop-down list to download the certificate file.
Step 4: Configure and enable SSO on CelerData
- Return to the Configure Single Sign-On(SSO) dialog box on your CelerData Cloud BYOC console.
- Paste the embed link you have copied from your IdP to the Single Sign-On URL field.
- Paste the SAML Issuer ID you have copied from your IdP to the Entity ID field.
- Paste the content of the certificate file you have downloaded from your IdP to the x.509 Certificate field. The content should be a string that starts with
-----BEGIN CERTIFICATE-----
and ends with-----END CERTIFICATE-----
. - Click Save.
- On the Single Sign-On (SSO) tab of the Account settings page, find the SSO configuration you have created, and click Enable.
The following table shows the correspondence of information you need across CelerData and Okta:
Copy from Okta console > Applications > Applications > choose your application > | Paste to CelerData Cloud BYOC console > Account > Account settings > Single sign-on > Configure > Configure Single Sign-On(SSO) > |
---|---|
General > SAML Settings > SAML Issuer ID | Entity ID |
General > App Embed Link > Embed Link | Single Sign-On URL |
Sign On > SAML Signing Certificates > choose an active certificate > Actions > Download certificate | x.509 Certificate |
Disable SSO
- Sign in to the CelerData Cloud BYOC console as the account administrator.
- In the left-side navigation pane, choose Account > Account settings.
- On the Single Sign-On (SSO) tab of the Account settings page, click Disable.
NOTE
Enabling or disabling SSO will not remove members' passwords to CelerData. After SSO is disabled, members who already have their passwords can still sign in to CelerData with their passwords. However, members who were invited while SSO is enabled do not have passwords. They must rest their passwords by clicking Forget Password when signing in to CelerData.
Modify SSO settings
- Sign in to the CelerData Cloud BYOC console as the account administrator.
- In the left-side navigation pane, choose Account > Account settings.
- On the Single Sign-On (SSO) tab of the Account settings page, click Configure.
- After you have modified the SSO settings, click Save.
NOTE
If you want to remove your SSO settings, you can delete all the settings and click Save. After that, SSO is automatically disabled.
Invite a new member to your account when SSO is enabled
When SSO is enabled, you need to invite a new member both to your IdP and to CelerData. The email address you used for both invitations must be the same.
The member to be invited will receive invitation emails from both the IdP and CelerData. they need first set up a login credential on the IdP, and then sign in to their account with SSO.
Monitor audit logs when using SSO
Enabling, disabling, and edit SSO produce audit logs as follows: