Enable SAML Single Sign-on (SSO)

WarpStream supports SAML-based single sign-on (SSO) for your identity provider.

You can enable SAML-based single sign-on (SSO) by following the steps below.

Limitations

• The SAML Single Logout (SLO) Protocol, including the Single Logout URL, is not supported in WarpStream SSO.

• SSO connection names must be globally unique. If you have multiple WarpStream tenants, you cannot use the same SSO connection name for each tenant.

Prerequisites

• You must have an existing SAML-based identity provider, such as Okta, OneLogin, or Microsoft Entra ID.

Enable SSO using WarpStream Console

1. Open the WarpStream Console and go to the Team page then click on Configure SSO.

2. In the SSO Identifier field, enter the unique SSO identifier that will be used to identify your organization. The value you enter is appended to the Single Sign-on URL, like this: https://console.warpstream.com/login/sso/<sso-identifier> The SSO identifier (<sso-identifier>) must include only lowercase letters, integers, and hyphen (-) characters. Typically, the organization name is used.

3. In the SAML Sign In URL field, enter the SAML Protocol URL from your SSO provider. For example in Okta this is called the Identity Provider Single Sign-On URL .

4. Open a separate brower window, go to your identity provider SAML settings and enter the generated values for the following SAML settings:

   1. Assertion consumer service URL In Okta this is the Sign sign-on URL field. https://console.warpstream.com/login/callback?connection=<sso-identifier>

   2. Entity ID In Okta this is the Audience URI (SP Entity ID) field. urn:sso:saml:warpstream:<sso-identifier>

5. In the SAML Entity ID field, enter the Enttity ID from your SSO provider. In Okta this is called the Identity Provider Issuer.

6. Upload the X509 Signing Certificate for your SSO Provider.

7. Click Save

You have successfully enabled SSO for the WarpStream Console. Users with access to your SSO application can now login to your WarpStream tenant using https://console.warpstream.com/login/sso/<sso-identifier> .

If you decide not to use the new settings, click Disable.

Supported SAML NameID formats

When SAML-enabled applications process a SAML assertion, the SAML NameID attribute is used to determine the username of the user signing in. WarpStream supports the following formats for the SAML name identifier (NameID), :

• nameid-format:emailAddress The Subject Name ID value from the identity provider uses the email address format. URI: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress