Authentication & SSO
As an account administrator, you can manage how your team and users access Cube Cloud.
You can authenticate using email and password, a GitHub account, or a Google account. Cube Cloud also provides single sign-on (SSO) via identity providers supporting SAML 2.0, e.g., Okta, Google Workspace, Azure AD, etc.
Finally, Cube Cloud provides the LDAP integration, enabling users of APIs & integrations to authenticate via an LDAP catalog and assume roles that work with access policies once authentication integration is enabled.
Authentication is available in Cube Cloud on all product tiers .
SAML 2.0 and LDAP integration are available on Enterprise and above product tiers.
Configuration
To manage authentication settings, navigate to settings of your Cube Cloud account, and switch to the tab:
Use the toggles in , , and sections to enable or disable these authentication options.
SAML 2.0
Use the toggle in the section to enable or disable the authentication via an identity provider supporting the SAML 2.0 protocol . Once it’s enabled, you’ll see the section directly below.
Check the following guides to get tool-specific instructions on configuration:
LDAP integration
Use the toggle in the section to enable or disable the integration with an LDAP catalog . Once it’s enabled, you’ll see the section directly below.
Cube Cloud will be accessing your LDAP server from the IP addresses shown under . If needed, add these IP addresses to an allowlist.
You can configure connection settings and use the button to validate them. You can also configure user properties mapping, user roles mapping, and user attributes mapping.
Connection settings
You have to configure the following connection settings:
| Option | Description |
|---|---|
| Address of your LDAP server | |
| Use an encrypted connection (LDAPS) | |
| Disable certificate authority verification | |
| Certificate for LDAPS in the PEM format | |
| Certificate for the private CA in the PEM format | |
| Key for mutual TLS (mTLS) in the PEM format | |
| User name for LDAP authentication | |
| Password for LDAP authentication | |
| Base DN for searching users | |
| Object class for user entries |
Use the tooltips in Cube Cloud to get more information about each setting.
User properties mapping
You have to configure how user data in an LDAP catalog maps to user properties in Cube Cloud. The following properties are required:
| Property | Description |
|---|---|
| Login name | |
| Unique identifier | |
| Email address | |
| Full name |
Use the tooltips in Cube Cloud to get more information about each setting.
User roles mapping
You can configure how user data in an LDAP catalog maps to roles in Cube Cloud. You can also use mapped roles with access policies once authentication integration is enabled.
Mapping is performed as follows:
- is retrieved from an LDAP catalog.
- Retrieved value is transformed using rules under .
- If the value matches an existing role in Cube Cloud, then the user assumes this role.
Additionally, the user always assumes the role specified under .
All roles will be available under cubeCloud.roles array in the security context:
{
"cubeCloud": {
"roles": [
"Everyone",
"manager"
]
}
}User attributes mapping
You can also bring more user data from an LDAP catalog to use with access policies. Mapping is performed using the rules under .
All mapped attributes and their values will be available under cubeCloud.userAttributes
dictionary in the security context:
{
"cubeCloud": {
"userAttributes": {
"fullName": "John Doe",
"department": "Finance",
"location": "San Mateo"
}
}
}Was this page useful?