Get Started Sign In

Using TOAD to access a Cyral-protected Oracle database

Your normal database clients continue to work once Cyral protection is added to your databases. Below, we show how to use the TOAD client to connect to a Cyral-protected Oracle database. To get TOAD, see 


  1. In TOAD, click Session: New Connection to set up a new connection for Oracle. 

  1. In Edit Login Record, enter the username. Choose the option that applies to you, below: 

    • If using Oracle credentials: Provide the database user name; 

  • If using Cyral SSO: Provide the SSO user name in one of the formats shown in "SSO username formats in Cyral", later in this document. For example: or 

  1. In the Select Direct tab:

    • Host: Address of the Cyral sidecar, which may be a load balancer address

    • Port: Repository port of the Cyral sidecar

    • Service Name or SID: The database service name or SID

  1. Next, hit Connect and TOAD will prompt you for your password:

    • If using Oracle credentials: Provide the user's usual database password;

  • If using Cyral SSO: Provide the SSO token.

SSO username formats in Cyral

SSO users can connect to any Cyral-protected database with their SSO username in one of the following formats, SSO username only, or SSO username with local account mapping, as described below.

SSO username only


If you're not passing a group name, pass your username in the format, "idp:sso-user" where "sso-user" is your username in the identity provider like Okta. 

For example, "" for an SSO user with the Okta username

Note! If your repository does not have native authentication enabled in Cyral, then you can optionally omit the "idp:" prefix.

SSO username with local account mapping


The local account is a user, group, or role in the repository for which you've created a mapping in the Cyral "Identity to Account Map" tab for your repository. If you need to specify which local account to use, pass a local account name, you'll drop the "idp:" prefix and append the local account name in the format: "sso-user:local-account". 

For example, "" for an SSO user with the Okta username and the local account mapping called "analyst-account" in Cyral.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.