Pick an identity provider when connecting
Your Cyral-assisted database single sign-on might rely on many different identity providers (IdPs). In Cyral, each IdP integration is saved with a unique name so the user can choose it when they authenticate (Cyral's Available Identity Providers window lets them choose).
Picking the right IdP can be confusing for users and can delay them when they're trying to connect. To address this, users can pass an IdP hint that specifies which IdP they want to use. When a user includes an IdP hint, Cyral directs them to the login screen or access token for that IdP. If they've already authenticated, they get to skip the login screen and get access to the resource right away.
Pass an IdP hint to the Cyral tokens portal
When data users access the Cyral tokens portal, they can append an IdP
hint to the URL in the format, ?idp=your-idp-integration-name where
your-idp-integration-name is the identifier for the IdP integration
you've created in Cyral.
For example, if the URL of your Cyral control plane is
https://db-portal.example.com, then the URL to for users who log in
with your Azure East1 IdP will look like this:
https://db-portal.example.com?idp=azure-east1
Pass an IdP hint to the CLI token retriever
To do this, run the Cyral CLI token retriever,
gimme_db_token, with the --idp flag. The syntax is:
gimme_db_token pg --address <your_Cyral_service_address> --idp <your-idp-integration-name>
where:
- your_Cyral_service_address is the URL of your Cyral control plane,
for example,
acme.cyral.com - your-idp-integration-name identifies your IdP integration in Cyral. To find the name, ask you Cyral administrator.
Token retriever example with IdP hint
For example, if your company tenant name in Cyral is acme-example,
and your IdP is called Azure East1, then run gimme_db_token as
shown below:
gimme_db_token pg --address acme.cyral.com --idp azure-east1