Configure single sign-on (SSO)
As an administrator of a Materialize organization, you can configure single sign-on (SSO) as an additional layer of account security using your existing SAML- or OpenID Connect-based identity provider. This ensures that all users can securely log in to the Materialize console using the same authentication scheme and credentials across all systems in your organization.
Before you begin
To make Materialize metadata available to Datadog, you must configure and run the following additional services:
- You must have an existing SAML- or OpenID Connect-based identity provider.
- Only users assigned the
OrganizationAdmin
role can view and modify SSO settings.
Configure authentication
-
Navigate to Account > Account Settings > SSO.
-
Click Add New and choose the
OpenID Connect
connection type. -
Add the issuer URL, client ID, and secret key provided by your identity provider.
-
Click Add New and choose the
SAML
connection type. -
Add the SSO endpoint and public certificate provided by your identity provider.
-
Optionally, add the SSO domain provided by your identity provider. Click Proceed.
-
Select the organization role for the user:
Organization role Description Organization Admin -
Console access: Has access to all Materialize console features, including administrative features (e.g., invite users, create service accounts, manage billing, and organization settings).
-
Database access: Has
superuser privileges in the database.
Organization Member -
Console access: Has no access to Materialize console administrative features.
-
Database access: Inherits role-level privileges defined by the
PUBLIC
role; may also have additional privileges via grants or default privileges. See Access control control.
NOTE:-
The first user for an organization is automatically assigned the Organization Admin role.
-
An Organization Admin has
superuser privileges in the database. Following the principle of least privilege, only assign Organization Admin role to those users who require superuser privileges. -
Users/service accounts can be granted additional database roles and privileges as needed.
-