Single Sign On

CloudBeaver Enterprise supports Federated Authentication for SSO (Single Sign-On) access into the application. Your provider must support SAML to access the application.

SAML configuration

Enabling SAML authentication

Go to the Administration menu and enable SAML in the Server configuration tab.


Configuring external identity provider

Go to the Identity Providers tab and create a new configuration using the SAML IdP (Identity Provider) details.


Configuring CloudBeaver integration in external identity provider

Open the created configuration and download the metadata file.


Go to the SAML IdP website and add the metadata parameters from the file (entityID and Location) to the SSO access settings, assign users and add the attribute mappings according to the SAML IdP requirements.
Each identity provider has its own configuration procedure, we will show how to do it in AWS in the next chapter.

AWS SSO configuration



You can upload metadata file (which you downloaded in the previous chapter) to fill parameters automatically.
Or you can specify parameters manually:

Parameter Value
Application ACS URL https://HOST_NAME/api/saml/CONFIG_ID/acs
Application SAML audience https://HOST_NAME/api/saml/CONFIG_ID/metadata

Where HOST_NAME is the host name of your CloudBeaver installation, CONFIG_ID is the identifier of your SAML configuration.



Attributes explanation:

Attribute Value Meaning
Subject ${user:email} User unique identifier (nameId). It is usually an email address. 1800 Session duration in seconds. 1800 (30 minutes) is the default value roleARN,idpARN IAM role identifier

Role is the most important attribute, it defines which IAM role will be used for user federation session. Role format: roleARN,idpARN

You can get role ARN in AWS IAM section
Role ARN looks like this: arn:aws:iam::123678087624:role/RoleForSAMLAccess

You can get IDP ARN in AWS identity providers page
IDP ARN looks like this: arn:aws:iam::123678087624:saml-provider/GSuiteSAML

Configuring AWS proxy account

In order to provide users permission to your AWS cloud resources (RDS, DynamoDB, etc) you need to configure AWS federated access proxy user.

You can more information find here: Configuring SAML assertions for the authentication response.

Go to the AWS Settings tab and enable the Federated authentication.


Add the Proxy User on the same page. You can set the current user or add a new one.

When an AWS user is logged into CloudBeaver using SSO, it has the Proxy User and the IAM user's identity-based permissions. Actual permission set and user role are configured in attribute mappings of SAML integration.


CloudBeaver does not keep your authentication information on the server-side and in configuration files. Once your session expires, you will need to authenticate again. When a user logs out from the application, CloudBeaver also performs a session logout from SAML IdP.

Testing SAML authentication

The new SAML tab becomes available after creating the configuration in the CloudBeaver authentication dialog. This is where the user can select the configuration and thereafter login into the application using SSO.