Home  /  Manage Materialize  /  User and service accounts

Configure single sign-on (SSO)

As an administrator of a Materialize organization, you can configure single sign-on (SSO) as an additional layer of account security using your existing SAML- or OpenID Connect-based identity provider. This ensures that all users can securely log in to the Materialize console using the same authentication scheme and credentials across all systems in your organization.

NOTE: Single sign-on in Materialize only supports authentication into the Materialize console. Permissions within the database are handled separately using role-based access control.

Before you begin

To make Materialize metadata available to Datadog, you must configure and run the following additional services:

  • You must have an existing SAML- or OpenID Connect-based identity provider.
  • Only users assigned the OrganizationAdmin role can view and modify SSO settings.

Configure authentication

    • Click Add New and choose the OpenID Connect connection type.

    • Add the issuer URL, client ID, and secret key provided by your identity provider.

    • Click Add New and choose the SAML connection type.

    • Add the SSO endpoint and public certificate provided by your identity provider.

    • Optionally, add the SSO domain provided by your identity provider. Click Proceed.

    • Select the organization role for the user:

      Organization role Description
      Organization Admin

      • Console access: Has access to all Materialize console features, including administrative features (e.g., invite users, create service accounts, manage billing, and organization settings).

      • Database access: Has superuser privileges in the database.
      Organization Member

      • Console access: Has no access to Materialize console administrative features.

      • Database access: Inherits role-level privileges defined by the PUBLIC role; may also have additional privileges via grants or default privileges. See Access control control.
      NOTE:

      • The first user for an organization is automatically assigned the Organization Admin role.

      • An Organization Admin has superuser privileges in the database. Following the principle of least privilege, only assign Organization Admin role to those users who require superuser privileges.

      • Users/service accounts can be granted additional database roles and privileges as needed.

    Next steps

    The organization role for a user/service account determines the default level of database access. Once the account creation is complete, you can use role-based access control (RBAC) to control access for that account.
    Back to top ↑