Configuring SSO

Configuring Single Sign On (SSO) for an Anyscale organization requires two distinct steps:

1. Configuring the Identity Provider (IdP). This is Okta, Ping Identity or a similar service.
2. Configuring the Service Provider (SP). This is Anyscale.

IdP Configuration

The exact steps to configure an IdP vary between provider. Ensure that all steps are completed before moving on to configure Anyscale. If your organization uses an IdP other than the following, please contact Anyscale support as additional allow-listing may be necessary.

After you complete IdP configuration, continue with SP Configuration.

Okta

1. Log in to your organization's admin Okta account, this is the admin-<organization>.okta.com domain.

2. Navigate to the “Applications tab.

3. Create a new app integration by clicking the Create App Integration button and select the SAML 2.0 option.

4. Add an appropriate App Name and (optionally) App logo.

5. Continue to the Configure SAML page and fill out the following two fields:

• Single sign-on URL: Find your organization_id here.

https://console.anyscale.com/api/v2/organizations/<organization_id>/saml_acs

• Audience URI (SP Entity ID): Note that the trailing / is required.

https://console.anyscale.com/

6. Scroll down and fill out the Attribute Statements. Anyscale requires that email, name and username attributes are provided. The source of each value is not important to Anyscale.

7. Finish application configuration by clicking next and completing the Feedback page.

8. Ensure that your integration is active and assign appropriate users to the application.

Google Workspaces

note

These directions are based on Google's official documentation, but are tailored to Anyscale's specific requirements.

1. Log in to your Google Workspace account with administrative privileges.

2. Navigate to the Google Admin Console.

3. Expand the Apps menu in the left side bar and select Web and mobile apps.

4. Select Add App menu and click the Add custom SAML app option.

5. Add an appropriate App Name and (optionally) App logo.

6. Continue pass the Google Identity Provider Details page and fill out the following two fields on the Service Provider Details page:

• ACS URL: Find your organization_id here.

https://console.anyscale.com/api/v2/organizations/<organization_id>/saml_acs

• Entity ID: Note that the trailing / is required.

https://console.anyscale.com/

7. Continue to the Attribute mapping page and add the three attributes that Anyscale requires: email, name and username. The source of these values is not important to Anyscale.

8. Click Finish.

Ping Identity

1. Log in to your Pingone account as an admin.

2. Navigate to the Connections tab and select Applications.

3. Click the + button next to the Applications heading.

4. Select WEB APP as the desired application type and SAML as the connection type.

5. Add an appropriate Application Name and (optionally) an Icon.

6. Manually enter the ACS URL using the following format.

https://console.anyscale.com/api/v2/organizations/<organization_id>/saml_acs

7. Add the ENTITY ID as follows. Note that the trailing / is required.

https://console.anyscale.com/

8. Specify a value for ASSERTION VALIDITY DURATION (60 seconds is a reasonable default) and click Save and Continue.

9. On the Map Attributes page, add the following three required application attributes email, name and username. The corresponding source PingOne User Attribute is not important to Anyscale.

10. Click Save and Continue.

11. Ensure that your application is enabled.

Azure AD

1. Log in to your account as an administrator.

2. Select Enterprise applications from under the Manage menu on the left panel.

3. Click the + New Application at the top of the page.

4. Select + Create your own application at the top left.

5. In the pop-up window, enter an appropriate Name and select Integrate any other application you don't find in the gallery (Non-gallery) and click Create.

6. You should now see an Overview page for your newly created application.

7. Select the Set up single sign on card from the Getting Started menu. Alternatively, select Single sign-on from the left side menu. Click SAML as the sign-on method.

8. Edit the Basic SAML Configuration card and fill out the Identifier and Reply URL fields as follows:

• Identifier (Entity ID): Note that the trailing / is required.

https://console.anyscale.com/

• Reply URL (Assertion Consumer Service URL): Find your organization_id here.

https://console.anyscale.com/api/v2/organizations/<organization_id>/saml_acs

10. Edit the Attributes & Claims card to include the following three required attributes: email, name and username. The source of each of these values is not important to Anyscale.

note

Azure AD requires every application to have a unique Identifier (Entity ID). This is problematic if you need to use Azure AD to connect to multiple Anyscale organizations because all would have the same Entity ID of https://console.anyscale.com/.

To work around this, first specify the Identifier (Entity ID) to a unique value for each Anyscale organization in the Basic SAML configuration. Then, go to the Advanced settings on the Attributes & Claims page and override the audience to be https://console.anyscale.com/. This will ensure that the correct entity id is sent during the SAML flow.

---

SP Configuration (Anyscale)

Only Anyscale Organization administrators can configure SSO. Ensure that you are signed in with the appropriate account before continuing.

1. Acquire the idp_metadata_url (a URL used to retrieve your IdPs metadata) or static_idp_config (static metadata for your IdP, fields shown below) from your IdP. The metadata URL is preferred as it is easier to include and will not require reconfiguration in the future. If you are not using one of the 4 providers used in this guide, collect the required information and skip to step 3.

{
    "idp_entity_id": "string",
    "idp_sso_url": "string",
    "idp_sso_binding": "string",
    "idp_x509cert": "string"
}

Okta

2. Okta supports an idp_metadatal_url for sign-on. Navigate to your applications Sign On tab and copy the Metadata URL field for use in the next step.

Google Workspaces

2. Google does not have a metadata URL endpoint, so specifying the static_idp_config is required. Navigate to your Custom SAML app and click Download Metadata.

{
    "idp_entity_id": "", //  SSO URL
    "idp_sso_url": "", // Entity ID
    "idp_sso_binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
    "idp_x509cert": "" // Certificate
}

Ping Identity

2. Navigate to your Application, head to the Configuration tab and click Download metadata.

Azure AD

2. Navigate to your Application and go to the Single sign-on tab. Locate the SAML Certificates card and copy the App Federation Metadata URL for use in the next step.

---

3. Navigate to the API docs page https://console.anyscale.com/ext/v0/docs.

4. Create (or update) your organization's SSO configuration with the /sso_configs/ endpoint (titled Upsert Sso Config). Use only the idp_metadata_url field or the static_idp_config field depending on what your IdP supports.

5. Click Execute and ensure that the server response is 200.

6. Enable SSO for your Anyscale organization with the /organizations/{organization_id} endpoint (titled Partial Organization Update). Specify your organization's ID in the path field and select the sso_mode to enforce. The three possible values of sso_mode are listed below. It is recommended to start with optional and move to required once you have verified that SSO is working as expected.

• off: SSO login is not enabled for your organization.
• optional: SSO login is optional for your organization. Users normally log in with SSO, but can also log in with a password.
• required: SSO login is the only way for users to log in to your organization.

warning

When SSO is made required, the current SSO configuration will be the only way for most users to log into the organization. Organization Admins can always log in with Anyscale with a password. If you are not 100% confident that the SSO configuration is correct, or if you need to use a username/password for service accounts, use the string optional mode.

7. Click Execute and ensure that the server response is 200.

8. Log in to Anyscale (preferably in a separate browser or in a private browsing window) to verify that the SSO log in flow with your IdP works as expected.

Fallback Access

Anyscale Organization admins always have the ability to log in to Anyscale with a username and password. This is a fallback mechanism in case SSO is unavailable or misconfigured. Admins can log in with the following CURL command:

curl -X POST https://console.anyscale.com/api/v2/users/login \
  -H 'Content-Type: application/json' \
  -d '{"email": "<email>", "password": "<password>", "organization_id": "<organization_id>"}'

Logging in with SSO

Once SSO is configured, there are two ways users can log in to Anyscale: IdP initiated and SP initiated.

IdP Initiated

The IdP initiated flow begins from your identity provider (for example, Okta or Azure AD). Log in to your IdPs website and select the link for Anyscale. If Anyscale is not visible, ensure that your user has been assigned to the application.

note

First-time Anyscale users must use the IdP initiated flow to log in to Anyscale in order to trigger just-in-time account creation.

SP Initiated

The SP initiated flow begins on the Anyscale homepage. Insert your work email and click Next. You should be automatically redirected to your IdP and then back to Anyscale.