Skip to main content
Version: User Guides (Cloud)

Okta (SAML 2.0)

This topic describes how to configure single sign-on (SSO) with Okta using the SAML 2.0 protocol.

In this guide, Zilliz Cloud acts as the Service Provider (SP) and Okta acts as the Identity Provider (IdP). The following digram illustrates the necessary steps in Zilliz Cloud and Okta Admin Console.

KywHwe7VIhcwsAbecTpcEsL3njb

Before you start

  • Your Zilliz Cloud organization has at least one Dedicated (Enterprise) cluster.

  • You have admin access to the Okta Admin Console. For more information, refer to Okta official documentation.

  • You are the Organization Owner in the Zilliz Cloud organization where SSO is to be configured.

Configuration steps

Step 1: Access SP details in Zilliz Cloud console

As the SP, Zilliz Cloud provides the Audience URL (SP Entity ID) and Single sign-on URL required when setting up your SAML app in Okta.

  1. Log in to the Zilliz Cloud console and go to the organization for which you want to configure SSO.

  2. In the left-side navigation pane, click Settings.

  3. On the Settings page, find the Single Sign-On (SSO) section and click Configure.

  4. In the dialog box that appears, choose Okta (SAML 2.0) as your IdP and protocol.

  5. In the Service Provider Details card, copy your Audience URL (SP Entity ID) and Single sign-on URL. These values will be required in Step 2 when creating a SAML app in Okta Admin Console.

  6. Once that's done, proceed to Step 2.

Step 2: Create a SAML app in Okta Admin Console

In this step, you configure Okta (the IdP) with the SP details obtained from Zilliz Cloud.

  1. Log in to the Okta Admin console.

  2. In the left-side navigation pane, choose Applications > Applications.

  3. Click Create App Integration.

  4. In the Create a new app integration dialog box, select SAML 2.0 and click Next.

  5. For simplicity, set App name to zilliz, then click Next.

  6. In the General area of the Configure SAML step, configure the fields below:

    • Single sign-on URL:

      • Paste the Single sign-on URL you copied from Zilliz Cloud console in Step 1 here.

      • Be sure to check the box labeled "Use this for Recipient URL and Destination URL" to ensure correct routing during SAML requests.

    • Audience URI (SP Entity ID): Paste the Audience URL (SP Entity ID) you copied from Zilliz Cloud console in Step 1 here.

  7. In the Attribute Statements (optional) area, specify:

    • Name: Set the value to email.

    • Value: Select user.email from the drop-down list.

  8. Click Next, then click Finish. You will be redirected to the app page.

  9. On the Sign On tab of the app page, get Metadata URL and click Copy. It will be required in Zilliz Cloud console in Step 3.

    📘Notes

    Alternatively, click More details to get the following details:

    • Sign on URL: Copy the URL. It will be required in Zilliz Cloud console if the Manual mode is selected in Step 3.

    • Signing Certificate: Click Download to save the certificate to your local computer. It will be required in Zilliz Cloud console if the Manual mode is selected in Step 3.

Step 3: Configure IdP settings in Zilliz Cloud console

In this step, you provide Okta’s IdP details back to Zilliz Cloud to complete the SAML trust relationship.

  1. Go back to the Zilliz Cloud console.

  2. In the Identity Provider Details card of the Configure Single Sign-On (SSO) dialog box, paste the Metadata URL you copied from Okta Admin Console in Step 2.

    📘Notes

    Alternatively, if you select the Manual mode for IdP detail configuration, configure:

    • Sign On URL: Paste the Sign on URL you copied from Okta Admin Console in Step 2 here.

    • Signing Certificate: Upload the certificate you downloaded from Okta Admin Console in Step 2 here. Make sure the entire certificate content, including the lines beginning with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----, is provided.

  3. Once that's done, click Save.

Post-configuration tasks

Task 1: Assign SAML app to users

Before users can access Zilliz Cloud through SSO, you need to assign the Okta application to them:

  1. On the app details page of the Okta Admin console, click Assignments.

  2. Choose Assign > Assign to People.

  3. Assign the SAML app to the user and save the changes.

  4. Click Save and Go Back.

Repeat for all users as needed. See Okta documentation for more.

Task 2: Invite users to your project

When users log in to Zilliz Cloud via SSO for the first time, they are registered as an Organization Member but have no access to any project by default.

  • The Organization Owner must invite them into the appropriate projects.

  • For step-by-step instructions on how to invite users to a project, refer to Manage Project Users.

After being invited to a project, the Organization Owner can share the Zilliz Cloud login URL with enterprise users so they can sign in through SSO.

If you encounter any issues during the setup or testing process, contact Zilliz support.

FAQ

What role is assigned to users who log in via SSO for the first time?

New users who do not already have a Zilliz Cloud account will be automatically created upon their first SSO login. These users are assigned the Organization Member role by default. You can modify their roles later in the Zilliz Cloud console. For detailed steps, refer to Manage Project Users.

How do users access projects after SSO login?

After logging in via SSO, users will have Organization Member role by default. To access specific projects, an Organization Owner or Project Admin must invite them to projects. For detailed steps, see Manage Project Users.

What happens if a user already has a Zilliz Cloud account before logging in with SSO?

If the user already exists in your Zilliz Cloud organization (based on their email), they will retain their original role and permissions when logging in via SSO. The system matches users by email address and does not overwrite existing accounts.

Can I configure multiple SSO providers for the same organization?

Currently, each Zilliz Cloud organization supports only one active SAML SSO configuration at a time.