Authentication & SSO
As an account administrator, you can manage how your team and users access Cube Cloud.
You can authenticate using email and password, a GitHub account, or a Google account. Cube Cloud also provides single sign-on (SSO) via identity providers supporting SAML 2.0, e.g., Okta, Google Workspace, Azure AD, etc.
Finally, Cube Cloud provides the LDAP integration, enabling users of APIs & integrations to authenticate via an LDAP catalog and assume roles that work with data access policies once authentication integration is enabled.
Authentication is available in Cube Cloud on all product tiers (opens in a new tab).
SAML 2.0 and LDAP integration are available on Enterprise and above (opens in a new tab) product tiers.
Configuration
To manage authentication settings, navigate to Team & Security settings of your Cube Cloud account, and switch to the Authentication & SSO tab:
Use the toggles in Password, Google, and GitHub sections to enable or disable these authentication options.
SAML 2.0
Use the toggle in the SAML 2.0 section to enable or disable the authentication via an identity provider supporting the SAML 2.0 protocol (opens in a new tab). Once it's enabled, you'll see the SAML 2.0 Settings section directly below.
Check the following guides to get tool-specific instructions on configuration:
LDAP integration
Use the toggle in the LDAP Integration section to enable or disable the integration with an LDAP catalog (opens in a new tab). Once it's enabled, you'll see the LDAP Settings section directly below.
Cube Cloud will be accessing your LDAP server from the IP addresses shown under LDAP Settings. If needed, add these IP addresses to an allowlist.
You can configure connection settings and use the Test Connection button to validate them. You can also configure user properties mapping, user roles mapping, and user attributes mapping.
Connection settings
You have to configure the following connection settings:
| Option | Description |
|---|---|
| LDAP Server URL | Address of your LDAP server |
| Use Secure LDAP | Use an encrypted connection (LDAPS) |
| Don't Verify CA | Disable certificate authority verification |
| Certificate | Certificate for LDAPS in the PEM format |
| Certificate Authority | Certificate for the private CA in the PEM format |
| Key | Key for mutual TLS (mTLS) in the PEM format |
| Bind DN | User name for LDAP authentication |
| Bind Credentials | Password for LDAP authentication |
| Search Base | Base DN for searching users |
| User Object Class | Object class for user entries |
Use the tooltips in Cube Cloud to get more information about each setting.
User properties mapping
You have to configure how user data in an LDAP catalog maps to user properties in Cube Cloud. The following properties are required:
| Property | Description |
|---|---|
| Login Attribute | Login name |
| Id Attribute | Unique identifier |
| Email Attribute | Email address |
| Name Attribute | Full name |
Use the tooltips in Cube Cloud to get more information about each setting.
User roles mapping
You can configure how user data in an LDAP catalog maps to roles in Cube Cloud. You can also use mapped roles with data access policies once authentication integration is enabled.
Mapping is performed as follows:
- Roles Attribute is retrieved from an LDAP catalog.
- Retrieved value is transformed using rules under Role mapping.
- If the value matches an existing role in Cube Cloud, then the user assumes this role.
Additionally, the user always assumes the role specified under Default Cloud role.
All roles will be available under cubeCloud.roles array in the security context:
{
"cubeCloud": {
"roles": [
"Everyone",
"manager"
]
}
}User attributes mapping
You can also bring more user data from an LDAP catalog to use with data access policies. Mapping is performed using the rules under Attribute mapping.
All mapped attributes and their values will be available under cubeCloud.userAttributes
dictionary in the security context:
{
"cubeCloud": {
"userAttributes": {
"fullName": "John Doe",
"department": "Finance",
"location": "San Mateo"
}
}
}