Configure single sign-on (SSO)

View Markdown

Configure single sign-on (SSO)

This page provides an overview of configuring single sign-on (SSO) for an Anyscale organization.

You complete this process in two distinct steps:

1. Configuring an Identity Provider (IdP), such as Okta, Ping Identity, or a similar service.
2. Configuring your Service Provider (SP), which is Anyscale.

Identity provider (IdP) configuration

The specific steps to configure an IdP vary between provider. Ensure that you complete all steps before you configure Anyscale. If your organization uses an IdP other than the following, contact Anyscale support because additional allow-listing may be necessary.

After you complete IdP configuration, continue with SP Configuration.

Okta

1. Log in to your organization's admin Okta account, which is the admin-<organization>.okta.com domain.

2. Navigate to the Applications tab.

3. Create a new app integration by clicking the Create App Integration button and selecting the SAML 2.0 option.

4. Add an appropriate App Name and (optionally) App logo.

5. Continue to the Configure SAML page and fill out the following two fields:

• Single sign-on URL: Find your organization_id in your console.

https://console.anyscale.com/api/v2/organizations/<organization_id>/saml_acs

• Audience URI (SP Entity ID): Note that the trailing / is required.

https://console.anyscale.com/

6. Scroll down and fill out the Attribute Statements. Anyscale requires that you provide email, name, and username attributes. The source of each value is not important to Anyscale.

7. Finish the application configuration by clicking Next and completing the Feedback page.

8. Ensure that your integration is active and assign appropriate users to the application.

Google Workspaces

note

These directions are based on Google's official documentation, but are tailored to Anyscale's specific requirements.

1. Log in to your Google Workspace account with admin privileges.

2. Navigate to the Google Admin Console.

3. Expand the Apps menu in the left side bar and select Web and mobile apps.

4. Select Add App menu and click the Add custom SAML app option.

5. Add an appropriate App Name and (optionally) App logo.

6. Continue past the Google Identity Provider Details page and fill out the following two fields on the Service Provider Details page:

• ACS URL: Find your organization_id in your console.

https://console.anyscale.com/api/v2/organizations/<organization_id>/saml_acs

• Entity ID: Note that the trailing / is required.

https://console.anyscale.com/

7. Continue to the Attribute mapping page and add the three attributes that Anyscale requires: email, name, and username. The source of these values is not important to Anyscale.

8. Click Finish.

Ping Identity

1. Log in to your PingOne account as an admin.

2. Navigate to the Connections tab and select Applications.

3. Click the + button next to the Applications heading.

4. Select WEB APP as the desired application type and SAML as the connection type.

5. Add an appropriate Application Name and (optionally) an Icon.

6. Manually enter the ACS URL using the following format.

https://console.anyscale.com/api/v2/organizations/<organization_id>/saml_acs

7. Add the ENTITY ID as follows. Note that the trailing / is required.

https://console.anyscale.com/

8. Specify a value for ASSERTION VALIDITY DURATION. A reasonable default is 60 seconds. Click Save and Continue.

9. On the Map Attributes page, add the following three required application attributes: email, name, and username. The corresponding source PingOne User Attribute is not important to Anyscale.

10. Click Save and Continue.

11. Ensure that your application is enabled.

Microsoft Entra ID

1. Log in to your Azure account as an admin.

2. Select Enterprise applications from under the Manage menu on the left panel.

3. Click the + New Application at the top of the page.

4. Select + Create your own application at the top left.

5. In the pop-up window, enter an appropriate Name and select Integrate any other application you don't find in the gallery (Non-gallery) and click Create.

6. You should see an Overview page for your newly created application.

7. Select the Set up single sign on card from the Getting Started menu. Alternatively, select Single sign-on from the left side menu. Click SAML as the sign-on method.

8. Edit the Basic SAML Configuration card and fill out the Identifier and Reply URL fields as follows:

• Identifier (Entity ID): Note that the trailing / is required.

https://console.anyscale.com/

• Reply URL (Assertion Consumer Service URL): Find your organization_id here.

https://console.anyscale.com/api/v2/organizations/<organization_id>/saml_acs

10. Edit the Attributes & Claims card to include the following three required attributes: email, name, and username. The source of each of these values is not important to Anyscale.

note

Azure AD requires every application to have a unique Identifier (Entity ID). This requirement is problematic if you need to use Azure AD to connect to multiple Anyscale organizations because all applications would have the same Entity ID of https://console.anyscale.com/.

To work around this, first specify the Identifier (Entity ID) to a unique value for each Anyscale organization in the Basic SAML configuration. Then, go to the Advanced settings on the Attributes & Claims page and override the audience to be https://console.anyscale.com/. This approach ensures that Anyscale sends the correct entity ID during the SAML flow.

---

Service provider (SP) configuration (Anyscale)

You must be an Anyscale organization owner to configure SSO.

Acquire IdP metadata

Start by acquiring the metadata you need to configure the relationship between your IdP and Anyscale. The type of metadata you require varies by your IdP.

Metadata	Description
Metadata URL	A URL that Anyscale uses to retrieve your IdP metadata. When supported, use this method as it's more robust to changes. The following IdPs support using a metadata URL on Anyscale: Okta Ping Azure
Static config	All other IdPs require passing a static configuration with the following JSON format:``` { "idp_entity_id": "string", "idp_sso_url": "string", "idp_sso_binding": "string", "idp_x509cert": "string" }

Click on the tab for your IdP for more details:

Okta

Okta supports an idp_metadata_url for sign-on. Navigate to your application's Sign On tab and copy the Metadata URL field for the next step.

Google Workspaces

Google doesn't have a metadata URL endpoint, so you must specify the static_idp_config. Navigate to your Custom SAML app and click Download Metadata.

{
    "idp_entity_id": "", //  SSO URL
    "idp_sso_url": "", // Entity ID
    "idp_sso_binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
    "idp_x509cert": "" // Certificate
}

Ping Identity

Navigate to your Application, head to the Configuration tab, and click Download Metadata.

Microsoft Entra ID

Navigate to your Application and go to the Single sign-on tab. Locate the SAML Certificates card and copy the App Federation Metadata URL for the next step.

Configure SSO for Anyscale

Complete the following steps to configure SSO for your Anyscale organization:

important

These instructions use the interactive FastAPI documentation for the Anyscale API. This API experience is experimental and subject to change.

Each endpoint documented has a button that prompts you to Try it out. You use the interactive Request body to specify your request.

When you click Execute, the request runs against your Anyscale organization.

Anyscale doesn't recommend interacting with any API endpoints other than those specifically referenced in the following instructions.

1. Navigate to the Anyscale API for SSO configuration.

   • Make sure you are looking at the correct /sso_configs/ endpoint. It should be a POST command with the title Upsert Sso Config.

2. Click Try it out. The Request body expands and shows the following:

   {
     "idp_metadata_url": "string",
     "static_idp_config": {
        "idp_entity_id": "string",
        "idp_sso_url": "string",
        "idp_sso_binding": "string",
        "idp_x509cert": "string"
     }
   }

3. Update the request body JSON with the metadata you collected for your IdP. See Acquire IdP metadata.

   • Use the idp_metadata_url field for supported IdPs.
   • Use the static_idp_config field for all other IdPs.
   • Delete the field that you're not using.

4. Click Execute. You receive a 200 response code if your settings applied successfully.

5. Navigate to the Anyscale API for SSO enforcement.

   • Make sure you are looking at the correct /organizations/{organization_id} endpoint. It should be a PUT command with the title Partial Update Organization.

6. Enter your Anyscale organization ID in the organization_id field.

   • To locate your ID, see View organization settings.

7. Click Try it out. The Request body expands and shows the following:

   {
     "sso_mode": "off"
   }

8. Update the request body JSON to specify the enablement level for SSO for your organization. The following are the options for sso_mode:

   • off: SSO login isn't enabled for your organization.
   • optional: SSO login is optional for your organization. Users normally log in with SSO, but can also log in with a password.
   • required: SSO login is the only way for users to log in to your organization.
   note

   Anyscale recommends starting with optional and moving to required once you have manually confirmed SSO is working as expected. This prevents users from losing access if you've misconfigured any SSO settings.

   The API doesn't display the current setting for this field. If you want to enforce SSO and are uncertain about your current setting, you should set the required option.

   Organization owners can always log in to Anyscale with a password. See Fallback access.

9. Click Execute. You receive a 200 response code if your settings applied successfully.

To test your SSO login, open a private browsing window and log in to the Anyscale console.

Log in with SSO

After you configure SSO, users can log in to Anyscale in two ways: IdP initiated and SP initiated.

IdP initiated

The IdP initiated flow begins from your identity provider, for example, Okta or Azure AD. Log in to your IdP's website and select the link for Anyscale. If Anyscale isn't visible, ensure that you assigned your user to the application.

note

First-time Anyscale users must use the IdP initiated flow to log in to Anyscale in order to trigger just-in-time account creation.

SP initiated

The SP initiated flow begins on the Anyscale console. Enter your work email and click Next. You should be automatically redirected to your IdP and then back to Anyscale.

If your email is associated with multiple organizations, you are prompted to select the organization you wish to log in to after confirming you have access to the email address through a magic link sent to your email. If the organization requires SSO, you are redirected to your IdP to log in and then back to Anyscale.

Fallback access

Anyscale organization owners have the ability to log in to Anyscale with a username and password. This fallback mechanism is for the case when SSO is unavailable or misconfigured. Use following cURL command to log in using your password:

curl -X POST https://console.anyscale.com/api/v2/users/login \
  -H 'Content-Type: application/json' \
  -d '{"email": "<email>", "password": "<password>", "organization_id": "<organization_id>"}'