Cyral interacts with your organization's identity provider (for example Okta or G Suite) to authenticate database users, providing single sign-on (SSO) access to a data repository.
How do I get an SSO token for logging in?
Depending on the type of repository you're connecting to, there are different ways to get the token:
For all repository types, you can authenticate at the repository access portal page provided in the Cyral management console;
For some repository types, you can use the Cyral SSO token retriever (
How are the tokens generated?
These tokens are issued by the identity provider (okta, g suite, AD) upon successful authentication and are received by the cyral service. Sso groups information is also available from the identity provider. Cyral uses these tokens to generate different kinds of tokens internally, and stores them for a specified period of time. These tokens are different from the ones the identity provider issues. At the end of the specified period, cyral tokens expire and are automatically deleted.
Note! Tokens expire after a set period (usually 24 hours). If you want to log in after your token has expired, you must authenticate again to get a new one.