LogoLogo
WarpStream.comSlackDiscordContact UsCreate Account
  • Overview
    • Introduction
    • Architecture
      • Service Discovery
      • Write Path
      • Read Path
      • Life of a Request (Simplified)
    • Change Log
  • Getting Started
    • Install the WarpStream Agent / CLI
    • Run the Demo
    • "Hello World" for Apache Kafka
  • BYOC
    • Run the Agents Locally
    • Deploy the Agents
      • Object Storage Configuration
      • Kubernetes Known Issues
      • Rolling Restarts and Upgrades
    • Infrastructure as Code
      • Terraform Provider
      • Helm charts
      • Terraform Modules
    • Monitoring
      • Pre-made Datadog Dashboard
      • Pre-made Grafana Dashboard
      • Important Metrics and Logs
      • Recommended List of Alerts
      • Monitoring Consumer Groups
      • Hosted Prometheus Endpoint
    • Client Configuration
      • Tuning for Performance
      • Configure Clients to Eliminate AZ Networking Costs
        • Force Interzone Load Balancing
      • Configuring Kafka Client ID Features
      • Known Issues
    • Authentication
      • SASL Authentication
      • Mutual TLS (mTLS)
      • Basic Authentication
    • Advanced Agent Deployment Options
      • Agent Roles
      • Agent Groups
      • Protect Data in Motion with TLS Encryption
      • Low Latency Clusters
      • Network Architecture Considerations
      • Agent Configuration Reference
      • Reducing Infrastructure Costs
      • Client Configuration Auto-tuning
    • Hosted Metadata Endpoint
    • Managed Data Pipelines
      • Cookbooks
    • Schema Registry
      • WarpStream BYOC Schema Registry
      • Schema Validation
      • WarpStream Schema Linking
    • Port Forwarding (K8s)
    • Orbit
    • Enable SAML Single Sign-on (SSO)
    • Trusted Domains
    • Diagnostics
      • GoMaxProcs
      • Small Files
  • Reference
    • ACLs
    • Billing
      • Direct billing
      • AWS Marketplace
    • Benchmarking
    • Compression
    • Protocol and Feature Support
      • Kafka vs WarpStream Configuration Reference
      • Compacted topics
    • Secrets Overview
    • Security and Privacy Considerations
    • API Reference
      • API Keys
        • Create
        • Delete
        • List
      • Virtual Clusters
        • Create
        • Delete
        • Describe
        • List
        • DescribeConfiguration
        • UpdateConfiguration
      • Virtual Clusters Credentials
        • Create
        • Delete
        • List
      • Monitoring
        • Describe All Consumer Groups
      • Pipelines
        • List Pipelines
        • Create Pipeline
        • Delete Pipeline
        • Describe Pipeline
        • Create Pipeline Configuration
        • Change Pipeline State
      • Invoices
        • Get Pending Invoice
        • Get Past Invoice
    • CLI Reference
      • warpstream agent
      • warpstream demo
      • warpstream cli
      • warpstream playground
    • Integrations
      • Arroyo
      • AWS Lambda Triggers
      • ClickHouse
      • Debezium
      • Decodable
      • DeltaStream
      • docker-compose
      • DuckDB
      • ElastiFlow
      • Estuary
      • Fly.io
      • Imply
      • InfluxDB
      • Kestra
      • Materialize
      • MinIO
      • MirrorMaker
      • MotherDuck
      • Ockam
      • OpenTelemetry Collector
      • ParadeDB
      • Parquet
      • Quix Streams
      • Railway
      • Redpanda Console
      • RisingWave
      • Rockset
      • ShadowTraffic
      • SQLite
      • Streambased
      • Streamlit
      • Timeplus
      • Tinybird
      • Upsolver
    • Partitions Auto-Scaler (beta)
    • Serverless Clusters
Powered by GitBook
On this page
  • Limitations
  • Prerequisites
  • Enable SSO using WarpStream Console
  • Supported SAML NameID formats

Was this helpful?

  1. BYOC

Enable SAML Single Sign-on (SSO)

WarpStream supports SAML-based single sign-on (SSO) for your identity provider.

You can enable SAML-based single sign-on (SSO) by following the steps below.

Limitations

  • The SAML Single Logout (SLO) Protocol, including the Single Logout URL, is not supported in WarpStream SSO.

  • SSO connection names must be globally unique. If you have multiple WarpStream tenants, you cannot use the same SSO connection name for each tenant.

Prerequisites

  • You must have an existing SAML-based identity provider, such as Okta, OneLogin, or Microsoft Entra ID.

Enable SSO using WarpStream Console

  1. Open the WarpStream Console and go to the Team page then click on Configure SSO.

  2. In the SSO Identifier field, enter the unique SSO identifier that will be used to identify your organization. The value you enter is appended to the Single Sign-on URL, like this: https://console.warpstream.com/login/sso/<sso-identifier> The SSO identifier (<sso-identifier>) must include only lowercase letters, integers, and hyphen (-) characters. Typically, the organization name is used.

  3. In the SAML Sign In URL field, enter the SAML Protocol URL from your SSO provider. For example in Okta this is called the Identity Provider Single Sign-On URL .

  4. Open a separate brower window, go to your identity provider SAML settings and enter the generated values for the following SAML settings:

    1. Assertion consumer service URL In Okta this is the Sign sign-on URL field. https://console.warpstream.com/login/callback?connection=<sso-identifier>

    2. Entity ID In Okta this is the Audience URI (SP Entity ID) field. urn:sso:saml:warpstream:<sso-identifier>

  5. In the SAML Entity ID field, enter the Enttity ID from your SSO provider. In Okta this is called the Identity Provider Issuer.

  6. Upload the X509 Signing Certificate for your SSO Provider.

  7. Click Save

You have successfully enabled SSO for the WarpStream Console. Users with access to your SSO application can now login to your WarpStream tenant using https://console.warpstream.com/login/sso/<sso-identifier> .

If you decide not to use the new settings, click Disable.

Supported SAML NameID formats

When SAML-enabled applications process a SAML assertion, the SAML NameID attribute is used to determine the username of the user signing in. WarpStream supports the following formats for the SAML name identifier (NameID), :

  • nameid-format:emailAddress The Subject Name ID value from the identity provider uses the email address format. URI: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

PreviousOrbitNextTrusted Domains

Last updated 3 months ago

Was this helpful?