Home  /  Security  /  Cloud  /  User and service accounts

Configure single sign-on (SSO)

As an administrator of a Materialize organization, you can configure single sign-on (SSO) as an additional layer of account security using your existing SAML- or OpenID Connect-based identity provider. This ensures that all users can securely log in to the Materialize console using the same authentication scheme and credentials across all systems in your organization.

NOTE: Single sign-on in Materialize only supports authentication into the Materialize console. Permissions within the database are handled separately using role-based access control.

Before you begin

To make Materialize metadata available to Datadog, you must configure and run the following additional services:

  • You must have an existing SAML- or OpenID Connect-based identity provider.
  • Only users assigned the OrganizationAdmin role can view and modify SSO settings.

Configure authentication

    • Click Add New and choose the OpenID Connect connection type.

    • Add the issuer URL, client ID, and secret key provided by your identity provider.

    • Click Add New and choose the SAML connection type.

    • Add the SSO endpoint and public certificate provided by your identity provider.

    • Optionally, add the SSO domain provided by your identity provider. Click Proceed.

    • Select the organization role for the user:

      Organization role Description
      Organization Admin

      • Console access: Has access to all Materialize console features, including administrative features (e.g., invite users, create service accounts, manage billing, and organization settings).

      • Database access: Has superuser privileges in the database.
      Organization Member

      • Console access: Has no access to Materialize console administrative features.

      • Database access: Inherits role-level privileges defined by the PUBLIC role; may also have additional privileges via grants or default privileges. See Access control control.
      NOTE:

      • The first user for an organization is automatically assigned the Organization Admin role.

      An Organization Admin has superuser privileges in the database. Following the principle of least privilege, only assign Organization Admin role to those users who require superuser privileges.

      • Users/service accounts can be granted additional database roles and privileges as needed.

    Next steps

    The organization role for a user/service account determines the default level of database access. Once the account creation is complete, you can use role-based access control (RBAC) to control access for that account.

    Back to top ↑