How are tokens issued for SSO-based authentication?

Cyral interacts with your organization's identity provider (for example Okta or G Suite) to authenticate database users, providing single sign-on (SSO) access to a data repository. 


How do I get an SSO token for logging in? 

Upon successful authentication, Cyral provides a token you will use as your login credential, in place of a password. Depending on the type of repository you're connecting to, there are different ways to get the token: 

  • For all repository types, you can authenticate at the repository access portal page provided in the Cyral management console;

  • For some repository types, you can use the Cyral SSO token retriever (gimme_db_token). This is a helper application that passes the token directly to the data repository, allowing you to log in.


How are the tokens generated? 

These tokens are issued by the identity provider (okta, g suite, AD) upon successful authentication and are received by the cyral service. Sso groups information is also available from the identity provider. Cyral uses these tokens to generate different kinds of tokens internally, and stores them for a specified period of time. These tokens are different from the ones the identity provider issues. At the end of the specified period, cyral tokens expire and are automatically deleted.


Note! Tokens expire after a set period (usually 24 hours). If you want to log in after your token has expired, you must authenticate again to get a new one.


Read more

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.