This page covers security settings available for your Rockset account.

## Authentication Methods

Rockset offers the following authentication methods:

  • User/Password

  • Google Single Sign-On (SSO)

  • Github Single Sign-On (SSO)

  • [SAML based SSO](🔗) (e.g. Okta, Azure AD, OneLogin, etc)

Additionally, [Multi-Factor Authentication (MFA)](🔗) is supported for organizations using User/Password based authentication.

### SAML based Single Sign-On (SSO)

Rockset offers SAML based Single Sign-On, which is used to integrate with identify providers such as Okta, Microsoft Entra ID (Azure AD), OneLogin, etc. The instructions below link to how to create an Okta connection, but the same settings would apply to any of the other SAML providers.

  • To create your **Okta** connection, follow [these instructions](🔗).

  • To setup using **Microsoft Entra ID**, follow the same steps above with the following notes

    • `Identifier (Entity ID)` within Entra ID is the value called `Audience URI`, which will look similar to `urn:auth0:rockset:acme-company`

    • `Reply URL (Assertion Consumer URL)` within Entra ID is the value called `SAML URL` which will look similar to `https://auth.rockset.com/login/callback?connection=acme-company`

Be sure to manually include the SAML attribute `email`

Within the Rockset console, you will have two additional settings available:

  • **SSO-only:** This setting allows users to connect to Rockset only from your SSO provider. Other forms of authentication, such as username-password, are disabled. If off, all connections will be allowed. We recommend turning this setting on for maximum security.

  • **Autoprovision:** This setting tells Rockset to automatically create accounts for new users coming to Rockset from your SSO provider. Most SSO providers provide their own form of access control, so we recommend turning this setting on. If off, you will have to add users in the Rockset UI before they are able to access Rockset.

Note that this feature only applies to authentication for logging into the [Rockset Console](🔗), and does not apply to calls made to the [<<glossary:Rockset API>>](🔗) or [<<glossary:Query Lambdas>>](🔗) using API Keys.

To enable SAML-based Single Sign-On for accessing the Rockset Console, please contact [Rockset Support](🔗).

### Multi-Factor Authentication (MFA)

Multi-Factor Authentication requires users who use User/Password based authentication to also enter a time-based one-time passcode (TOTP), such as one generated by Google Authenticator or a similar application. The additional MFA requirement only applies to User/Password based authentication, and will not affect any of the SSO authentication methods.

When enabling "MFA Restricted", the next time any users belonging to the organization attempt to use User/Password authentication they will be prompted to enter their one-time passcode. If the user has not yet configured their MFA, then they will be redirected to configure their MFA.