Skip to main content

Configuring SSO

Configuring Single Sign On (SSO) for an Anyscale organization requires two distinct steps:

  1. Configuring the Identity Provider (IdP). This is Okta, Ping Identity, or a similar service.
  2. Configuring the Service Provider (SP), which is Anyscale.

IdP configuration

The specific steps to configure an IdP vary between provider. Ensure that you complete all steps before you configure Anyscale. If your organization uses an IdP other than the following, contact Anyscale support because additional allow-listing may be necessary.

After you complete IdP configuration, continue with SP Configuration.

  1. Log in to your organization's admin Okta account, which is the admin-<organization>.okta.com domain.

  2. Navigate to the Applications tab.

  3. Create a new app integration by clicking the Create App Integration button and selecting the SAML 2.0 option. SAML 2.0

  4. Add an appropriate App Name and (optionally) App logo. App Name

  5. Continue to the Configure SAML page and fill out the following two fields:

  • Single sign-on URL: Find your organization_id in your console.
https://console.anyscale.com/api/v2/organizations/<organization_id>/saml_acs
  • Audience URI (SP Entity ID): Note that the trailing / is required.
https://console.anyscale.com/

Advanced SAML Configuration

  1. Scroll down and fill out the Attribute Statements. Anyscale requires that you provide email, name, and username attributes. The source of each value is not important to Anyscale. Advanced SAML Attributes

  2. Finish the application configuration by clicking Next and completing the Feedback page.

  3. Ensure that your integration is active and assign appropriate users to the application.


SP configuration (Anyscale)

Only Anyscale Organization admins can configure SSO. Ensure that you are signed in with the appropriate account before continuing.

  1. Acquire the idp_metadata_url (a URL used to retrieve your IdPs metadata) or static_idp_config (static metadata for your IdP, fields shown below) from your IdP. The metadata URL is easier to include and doesn't require reconfiguration in the future. If you're not using one of the 4 providers in this guide, collect the required information and skip to step 3.
{
"idp_entity_id": "string",
"idp_sso_url": "string",
"idp_sso_binding": "string",
"idp_x509cert": "string"
}
  1. Okta supports an idp_metadata_url for sign-on. Navigate to your application's Sign On tab and copy the Metadata URL field for the next step.

SSO Config


  1. Navigate to the API docs page https://console.anyscale.com/ext/v0/docs.
  1. Create or update your organization's SSO configuration with the /sso_configs/ endpoint, titled Upsert Sso Config. Use only the idp_metadata_url field or the static_idp_config field depending on what your IdP supports.

SSO Config

  1. Click Execute and ensure that the server response is 200.

  2. Enable SSO for your Anyscale organization with the /organizations/{organization_id} endpoint, called Partial Organization Update. Specify your organization's ID in the path field and select the sso_mode to enforce. The three possible values of sso_mode are listed below. Start with optional and move to required once you have verified that SSO is working as expected.

  • off: SSO login is not enabled for your organization.
  • optional: SSO login is optional for your organization. Users normally log in with SSO, but can also log in with a password.
  • required: SSO login is the only way for users to log in to your organization.
warning

When you make SSO required, the current SSO configuration is the only way for most users to log into the organization. Organization admins can always log in with Anyscale with a password. If you aren't 100% confident that the SSO configuration is correct, or if you need to use a username and password for service accounts, use the string optional mode.

SSO Mode

  1. Click Execute and ensure that the server response is 200.

  2. In a separate browser or in a private browsing window, log in to Anyscale to verify that the SSO log in flow with your IdP works as expected.

Fallback access

Anyscale Organization admins always have the ability to log in to Anyscale with a username and password. This fallback mechanism is for the case when SSO is unavailable or misconfigured. Admins can log in with the following cURL command:

curl -X POST https://console.anyscale.com/api/v2/users/login \
-H 'Content-Type: application/json' \
-d '{"email": "<email>", "password": "<password>", "organization_id": "<organization_id>"}'

Logging in with SSO

After you configure SSO, users can log in to Anyscale in two ways: IdP initiated and SP initiated.

IdP initiated

The IdP initiated flow begins from your identity provider, for example, Okta or Azure AD. Log in to your IdP's website and select the link for Anyscale. If Anyscale isn't visible, ensure that you assigned your user to the application.

note

First-time Anyscale users must use the IdP initiated flow to log in to Anyscale in order to trigger just-in-time account creation.

SP initiated

The SP initiated flow begins on the Anyscale homepage. Enter your work email and click Next. You should be automatically redirected to your IdP and then back to Anyscale.

If your email is associated with multiple organizations, you are prompted to select the organization you wish to log in to after confirming you have access to the email address through a magic link sent to your email. If the organization requires SSO, you are redirected to your IdP to log in and then back to Anyscale.