Authenticate via Browser-based SSO using JWTs
On this page
Note
SingleStore Helios supports browser-based single sign-on (SSO) with Google Chrome, Mozilla Firefox, and Microsoft Edge.
SingleStore Helios supports authentication via browser-based SSO using JWTs only for the SingleStore JDBC driver and SingleStore ODBC driver.
The SingleStore authentication helper utility, singlestore-auth-helper, enables browser-based passwordless login using the SingleStore and MySQL clients.singlestore-auth-helper utility using Go.
-
Download Go installer version 1.
18. 2 or later. -
Run the following command, which is tested with Go v1.
18. 2: go install github.com/memsql/singlestore-auth-helper@latest
Note
The singlestore-auth-helper is not required for browser-based SSO authentication with the SingleStore JDBC driver.
The browser-based SSO authentication workflow opens the default browser to the SingleStore Helios login page.
Use JWTs with the SingleStore and MySQL Clients
To use a JWT with the SingleStore client to connect to your SingleStore Helios workspace, replace the password with the JWT:
singlestore -u $EMAIL_ADDRESS -h $CLUSTER_HOSTNAME -P $CLUSTER_PORT --password=$JWT --ssl=TRUE --enable-cleartext-plugin
Similarly, to use a JWT with the MySQL client to connect to your SingleStore Helios workspace, replace the password with the JWT.
mysql -u $EMAIL_ADDRESS -h $CLUSTER_HOSTNAME -P $CLUSTER_PORT --password=`singlestore-auth-helper` --ssl=TRUE
Authenticate via the SingleStore JDBC Driver Using Browser-Based SSO
Note
To authenticate your connection to the SingleStore Helios workspace via SingleStore JDBC driver using JWTs, the SingleStore user must connect via SSL and use JWT for authentication.
To authenticate your connection to a SingleStore Helios workspace with browser-based single sign-on (SSO), add the following parameter to the connection string:
credentialType=BROWSER_SSO
Using the credentialType=BROWSER_ parameter in the connection string tells the driver to use the BrowserCredentialPlugin class for authentication.
To authenticate using browser-based SSO on Linux distributions, you must have the gnome-keyring-daemon and an active Login Password Keyring.
Note
The keyring must have only one username-token pair for a specific user.
If there is no token in the keyring, or the existing token has expired, the driver launches the default browser to initiate the authentication workflow.
The driver receives the following information from the JWT generated by SingleStore Helios:
-
expiration: Timestamp for when the token expires (in RFC3339 format). -
token: Base64-encoded JWT token, which is used as the password. -
username: Username for the database.By default, it is the user’s authentication email address. -
email: Email address used in the next invocation of the authentication helper.
Note
Do not specify a user or password in the connection string.
You must set the connect_ engine variable to a value that’s long enough to allow a user to successfully complete the browser-based login.300 specifies that the user has 300 seconds to complete the login process.connect_ value via the SET GLOBAL command.
SET GLOBAL connect_timeout = 300;
Authenticate via the SingleStore ODBC Driver Using Browser-Based SSO
To authenticate your connection to the SingleStore Helios workspace via ODBC using browser-based SSO, add the BROWSER_ parameter to the connection string.
When the BROWSER_ parameter is enabled, the driver launches the default browser to the Cloud Portal for the first connection request.
To authenticate using browser-based SSO on Linux distributions, you must have the gnome-keyring-daemon and an active Login Password Keyring.
For subsequent logins, the access token is read from the OS-specific keyring.
To skip the interaction with the keyring and login via the browser on each connection attempt, enable the IGNORE_ connection parameter.
Install a Gnome Keyring Manager for Linux Distributions
You can store and manage tokens in the Login Password Keyring on Linux distributions using a Gnome Keyring manager, for example, Seahorse.seahorse package:
-
Run the following command on the terminal to install the seahorse package.
Debian
sudo apt-get install seahorseRed Hat
sudo yum install seahorse -
Once the installation is complete, open Seahorse.
-
Configure a Password Keyring.
Select + (Add a new key or item) > Password Keyring. -
Enter a name and password for the new keyring.
-
Set the new keyring as the default.
Create a JWT User
Note
Creating JWT users is only supported in SingleStore Helios workspaces running SingleStore v7.
By default, each member of a SingleStore Helios organization that belongs to a workspace has a corresponding JWT user created for that workspace.
You can also manually create a JWT user using the following command:
CREATE USER 'email@example.com'@'%' IDENTIFIED WITH authentication_jwt REQUIRE SSL;
where:
-
email@example.is the JWT user’s username.com As of SingleStore version 8. 1. 5, you may also create a JWT user with a username that resembles an email address or a UUID. -
IDENTIFIED WITH authentication_sets the user’s authentication method to use a JWT.jwt -
REQUIRE SSL(mandatory) enforces the use of SSL for the JWT connection.
A JWT user whose username conflicts with an organization user's email address is treated as an organization user.
Related Topics
Last modified: August 2, 2023