configuring-sso-and-scim

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Configuring SSO and SCIM

配置SSO与SCIM

Configures Single Sign-On (SSO) and SCIM 2.0 provisioning for CockroachDB across four distinct layers:

Cloud Console SSO — SAML or OIDC for the CockroachDB Cloud web console
DB Console SSO — OIDC for the DB Console web UI (Advanced/Enterprise only)
SQL/Cluster SSO — JWT-based or LDAP/AD authentication for SQL client connections
SCIM 2.0 — Automated user provisioning on the Cloud Console

为CockroachDB配置跨四个不同层级的单点登录（SSO）和SCIM 2.0配置服务：

Cloud Console SSO — 用于CockroachDB Cloud网页控制台的SAML或OIDC认证
DB Console SSO — 用于DB Console网页UI的OIDC认证（仅高级版/企业版可用）
SQL/集群SSO — 用于SQL客户端连接的基于JWT或LDAP/AD的认证
SCIM 2.0 — Cloud Console上的自动化用户配置服务

When to Use This Skill

何时使用此技能

Enabling centralized identity management via an IdP (Okta, Azure AD, Google Workspace, etc.)
Meeting compliance requirements for SSO-only authentication
Automating user provisioning and deprovisioning to prevent orphaned accounts
Setting up SSO for SQL authentication to eliminate database-level passwords
Configuring LDAP/AD authentication for self-hosted clusters in on-prem or hybrid environments
Responding to a security audit finding about missing SSO or SCIM configuration

通过身份提供商（IdP，如Okta、Azure AD、Google Workspace等）启用集中式身份管理
满足仅使用SSO认证的合规要求
自动化用户配置与取消配置，防止出现孤立账户
为SQL认证设置SSO，消除数据库级别的密码
为本地或混合环境中的自托管集群配置LDAP/AD认证
响应关于缺失SSO或SCIM配置的安全审计发现

Prerequisites

前提条件

Cloud Console role: Organization Admin (for Console SSO and SCIM)
SQL access: Cluster admin role (for DB Console SSO and SQL/Cluster SSO)
Identity Provider (IdP): Configured and operational — Okta, Azure AD, Google Workspace, PingOne, or other SAML/OIDC-compatible provider
ccloud CLI authenticated (
```
ccloud auth login
```
) — for Cloud Console SSO/SCIM
DB Console SSO: Advanced or Enterprise plan required (not available on Standard or Basic)
SCIM: Enterprise plan required for SCIM 2.0
LDAP/AD: Self-hosted CockroachDB cluster required (LDAP is not available on CockroachDB Cloud)

Verify access:

bash

ccloud auth whoami

Cloud Console角色：组织管理员（用于Console SSO和SCIM）
SQL访问权限：集群管理员角色（用于DB Console SSO和SQL/集群SSO）
身份提供商（IdP）：已配置并可正常运行——Okta、Azure AD、Google Workspace、PingOne或其他兼容SAML/OIDC的提供商
ccloud CLI已认证（
```
ccloud auth login
```
）——用于Cloud Console SSO/SCIM
DB Console SSO：需要高级版或企业版计划（标准版或基础版不可用）
SCIM：需要企业版计划才能使用SCIM 2.0
LDAP/AD：需要自托管CockroachDB集群（CockroachDB Cloud不支持LDAP）

验证访问权限：

bash

ccloud auth whoami

Configuration Decisions

配置决策

Before proceeding, determine which layers the user needs. Ask which of the following apply, then follow only the relevant Parts below.

Decision 1 — Cloud Console SSO:

SAML: Best for enterprise IdPs with existing SAML infrastructure (Okta, Azure AD, PingOne)
OIDC: Simpler setup, supports Google Workspace and modern IdPs natively
Skip: Not needed

Decision 2 — DB Console SSO:

Enable (OIDC): SSO for the DB Console web UI. Requires Advanced or Enterprise plan — not available on Standard or Basic
Skip: Not needed or plan does not support it

Decision 3 — SQL/Cluster SSO method:

JWT-based: Cloud-native approach using JWT tokens for SQL client connections. Works on both CockroachDB Cloud and self-hosted clusters
LDAP/AD: Direct directory authentication against Active Directory or OpenLDAP. Self-hosted only (not available on CockroachDB Cloud)
Skip: Not needed

Decision 4 — SCIM 2.0 provisioning:

Enable: Automates user lifecycle (create/update/deactivate) between IdP and Cloud Console. Requires Enterprise plan
Skip: Manage Cloud Console users manually

在开始配置前，确定用户需要哪些层级。询问以下哪些适用，然后仅遵循相关部分的步骤。

决策1 — Cloud Console SSO：

SAML：适合拥有现有SAML基础设施的企业级IdP（如Okta、Azure AD、PingOne）
OIDC：设置更简单，原生支持Google Workspace和现代IdP
跳过：不需要

决策2 — DB Console SSO：

启用（OIDC）：为DB Console网页UI配置SSO。需要高级版或企业版计划——标准版或基础版不可用
跳过：不需要或当前计划不支持

决策3 — SQL/集群SSO方式：

基于JWT：云原生方案，使用JWT令牌进行SQL客户端连接。适用于CockroachDB Cloud和自托管集群
LDAP/AD：直接针对Active Directory或OpenLDAP进行目录认证。仅支持自托管集群（CockroachDB Cloud不支持）
跳过：不需要

决策4 — SCIM 2.0配置：

启用：自动化IdP与Cloud Console之间的用户生命周期（创建/更新/停用）。需要企业版计划
跳过：手动管理Cloud Console用户

Steps

步骤

Step 0: Audit Current SSO Configuration

步骤0：审计当前SSO配置

Before configuring anything, audit the current state of all four SSO layers.

在进行任何配置前，审计四个SSO层级的当前状态。

Cloud Console SSO

Check SSO status in the Cloud Console UI: Organization Settings > Authentication. The

ccloud

CLI does not expose SSO configuration commands.

在Cloud Console UI中查看SSO状态：组织设置 > 认证。

ccloud

CLI目前未提供SSO配置命令。

DB Console SSO (OIDC)

DB Console SSO（OIDC）

sql

SHOW CLUSTER SETTING server.oidc_authentication.enabled;
SHOW CLUSTER SETTING server.oidc_authentication.provider_url;
SHOW CLUSTER SETTING server.oidc_authentication.client_id;

sql

SHOW CLUSTER SETTING server.oidc_authentication.enabled;
SHOW CLUSTER SETTING server.oidc_authentication.provider_url;
SHOW CLUSTER SETTING server.oidc_authentication.client_id;

SQL/Cluster SSO (JWT)

SQL/集群SSO（JWT）

sql

SHOW CLUSTER SETTING server.jwt_authentication.enabled;
SHOW CLUSTER SETTING server.jwt_authentication.issuers.configuration;
SHOW CLUSTER SETTING server.jwt_authentication.jwks_auto_fetch.enabled;

sql

SHOW CLUSTER SETTING server.jwt_authentication.enabled;
SHOW CLUSTER SETTING server.jwt_authentication.issuers.configuration;
SHOW CLUSTER SETTING server.jwt_authentication.jwks_auto_fetch.enabled;

LDAP Authentication

LDAP认证

sql

-- Check HBA rules for any ldap method entries
SHOW CLUSTER SETTING server.host_based_authentication.configuration;

Look for lines containing

ldap

in the HBA output.

sql

-- 检查HBA规则中是否有ldap方法条目
SHOW CLUSTER SETTING server.host_based_authentication.configuration;

在HBA输出中查找包含

ldap

的行。

Auto-Provisioning

自动配置

sql

SHOW CLUSTER SETTING security.provisioning.jwt.enabled;
SHOW CLUSTER SETTING security.provisioning.ldap.enabled;

sql

SHOW CLUSTER SETTING security.provisioning.jwt.enabled;
SHOW CLUSTER SETTING security.provisioning.ldap.enabled;

Part 1: Cloud Console SSO

第一部分：Cloud Console SSO

Cloud Console SSO enables SAML or OIDC authentication for the CockroachDB Cloud web console, replacing password-based login.

Cloud Console SSO为CockroachDB Cloud网页控制台启用SAML或OIDC认证，替代基于密码的登录方式。

1.1 Check Current SSO Configuration

1.1 检查当前SSO配置

Check SSO status in the Cloud Console UI (Organization Settings > Authentication). The

ccloud

CLI does not currently expose SSO configuration commands.

在Cloud Console UI中查看SSO状态（组织设置 > 认证）。

ccloud

CLI目前未提供SSO配置命令。

1.2a Configure SAML SSO

1.2a 配置SAML SSO

Follow this section if the user selected SAML in Decision 1.

Navigate to Organization Settings > Authentication in the Cloud Console
Select SAML as the SSO provider type
Configure the SAML connection:
- Enter the IdP metadata URL or upload the metadata XML
- Copy the CockroachDB Cloud ACS URL and Entity ID to your IdP
- Map IdP attributes to CockroachDB Cloud user fields (email, name)
In your IdP, create a SAML 2.0 application:
- Set the Single sign-on URL to the CockroachDB Cloud ACS URL
- Set the Audience URI (SP Entity ID) to the CockroachDB Cloud Entity ID
- Set Name ID format to Email Address
- Map attributes:
```
email
```
  ,
```
firstName
```
  ,
```
lastName
```
Assign users or groups to the SAML application in the IdP

See configuration steps reference for IdP-specific SAML instructions (Okta, Azure AD).

如果用户在决策1中选择了SAML，请遵循此部分。

导航至Cloud Console中的组织设置 > 认证
选择SAML作为SSO提供商类型
配置SAML连接：
- 输入IdP元数据URL或上传元数据XML
- 将CockroachDB Cloud的ACS URL和实体ID复制到你的IdP中
- 将IdP属性映射到CockroachDB Cloud用户字段（邮箱、姓名）
在你的IdP中创建一个SAML 2.0应用：
- 将单点登录URL设置为CockroachDB Cloud的ACS URL
- 将**受众URI（SP实体ID）**设置为CockroachDB Cloud的实体ID
- 将名称ID格式设置为邮箱地址
- 映射属性：
```
email
```
  、
```
firstName
```
  、
```
lastName
```
在IdP中为SAML应用分配用户或群组

有关IdP特定的SAML说明（Okta、Azure AD），请参阅配置步骤参考。

1.2b Configure OIDC SSO

1.2b 配置OIDC SSO

Follow this section if the user selected OIDC in Decision 1.

Navigate to Organization Settings > Authentication in the Cloud Console
Select OIDC as the SSO provider type
Configure the OIDC connection:
- Enter the OIDC discovery URL from your IdP (e.g.,
```
https://accounts.google.com/.well-known/openid-configuration
```
  )
- Enter the Client ID and Client Secret from your IdP
- Configure the redirect URI in the IdP to point to CockroachDB Cloud
In your IdP, create an OIDC/OAuth 2.0 application:
- Set Sign-in redirect URI to the CockroachDB Cloud redirect URI
- Grant scopes:
```
openid
```
  ,
```
profile
```
  ,
```
email
```
Assign users or groups to the OIDC application in the IdP

See configuration steps reference for IdP-specific OIDC instructions (Okta, Azure AD, Google Workspace).

如果用户在决策1中选择了OIDC，请遵循此部分。

导航至Cloud Console中的组织设置 > 认证
选择OIDC作为SSO提供商类型
配置OIDC连接：
- 输入来自你的IdP的OIDC发现URL（例如：
```
https://accounts.google.com/.well-known/openid-configuration
```
  ）
- 输入来自你的IdP的客户端ID和客户端密钥
- 在IdP中配置重定向URI，指向CockroachDB Cloud
在你的IdP中创建一个OIDC/OAuth 2.0应用：
- 将登录重定向URI设置为CockroachDB Cloud的重定向URI
- 授予范围：
```
openid
```
  、
```
profile
```
  、
```
email
```
在IdP中为OIDC应用分配用户或群组

有关IdP特定的OIDC说明（Okta、Azure AD、Google Workspace），请参阅配置步骤参考。

1.3 Test SSO Login

1.3 测试SSO登录

Open a new browser session (or incognito window)
Navigate to the CockroachDB Cloud Console login page
Select Sign in with SSO
Verify redirect to IdP, authenticate, and redirect back to Cloud Console

打开新的浏览器会话（或隐身窗口）
导航至CockroachDB Cloud Console登录页面
选择使用SSO登录
验证是否重定向到IdP，完成认证后重定向回Cloud Console

1.4 Enforce SSO (Disable Password Login)

1.4 强制启用SSO（禁用密码登录）

After verifying SSO works:

Navigate to Organization Settings > Authentication
Enable Require SSO to disable password-based login
Confirm a break-glass admin account exists (see Safety Considerations)

在验证SSO可用后：

导航至组织设置 > 认证
启用要求SSO以禁用基于密码的登录
确认存在应急管理员账户（请参阅安全注意事项）

Part 2: DB Console SSO (OIDC)

第二部分：DB Console SSO（OIDC）

This configures SSO for the DB Console web UI only, NOT for SQL client connections. SQL client SSO is configured separately in Part 3 (JWT) or Part 4 (LDAP/AD).

Prerequisite: Advanced or Enterprise plan required. DB Console SSO is not available on Standard or Basic plans.

DB Console SSO uses OIDC to authenticate users to the CockroachDB DB Console web interface.

此配置仅针对DB Console网页UI的SSO，不针对SQL客户端连接。 SQL客户端SSO在第三部分（JWT）或第四部分（LDAP/AD）中单独配置。

前提条件： 需要高级版或企业版计划。DB Console SSO在标准版或基础版中不可用。

DB Console SSO使用OIDC对CockroachDB DB Console网页界面的用户进行认证。

2.1 Check Current DB Console SSO Configuration

2.1 检查当前DB Console SSO配置

sql

SHOW CLUSTER SETTING server.oidc_authentication.enabled;
SHOW CLUSTER SETTING server.oidc_authentication.provider_url;
SHOW CLUSTER SETTING server.oidc_authentication.client_id;

sql

SHOW CLUSTER SETTING server.oidc_authentication.enabled;
SHOW CLUSTER SETTING server.oidc_authentication.provider_url;
SHOW CLUSTER SETTING server.oidc_authentication.client_id;

2.2 Configure DB Console SSO

2.2 配置DB Console SSO

sql

-- Enable OIDC authentication for the DB Console
SET CLUSTER SETTING server.oidc_authentication.enabled = true;

-- Set the OIDC provider URL (your IdP's discovery endpoint)
SET CLUSTER SETTING server.oidc_authentication.provider_url = 'https://your-idp.example.com';

-- Set the client ID registered in your IdP
SET CLUSTER SETTING server.oidc_authentication.client_id = '<client-id>';

-- Set the client secret
SET CLUSTER SETTING server.oidc_authentication.client_secret = '<client-secret>';

-- Configure the claim field used for username mapping
SET CLUSTER SETTING server.oidc_authentication.claim_json_key = 'email';

-- Configure the principal regex (extract username from claim)
SET CLUSTER SETTING server.oidc_authentication.principal_regex = '^([^@]+)';

See configuration steps reference for IdP-specific DB Console SSO setup (Okta, Azure AD).

sql

-- 为DB Console启用OIDC认证
SET CLUSTER SETTING server.oidc_authentication.enabled = true;

-- 设置OIDC提供商URL（你的IdP的发现端点）
SET CLUSTER SETTING server.oidc_authentication.provider_url = 'https://your-idp.example.com';

-- 设置在IdP中注册的客户端ID
SET CLUSTER SETTING server.oidc_authentication.client_id = '<client-id>';

-- 设置客户端密钥
SET CLUSTER SETTING server.oidc_authentication.client_secret = '<client-secret>';

-- 配置用于用户名映射的声明字段
SET CLUSTER SETTING server.oidc_authentication.claim_json_key = 'email';

-- 配置主体正则表达式（从声明中提取用户名）
SET CLUSTER SETTING server.oidc_authentication.principal_regex = '^([^@]+)';

有关IdP特定的DB Console SSO设置（Okta、Azure AD），请参阅配置步骤参考。

2.3 Test DB Console SSO

2.3 测试DB Console SSO

Open the DB Console URL in a browser
Click Log in with OIDC
Authenticate with your IdP
Verify you are logged into the DB Console

在浏览器中打开DB Console URL
点击使用OIDC登录
使用你的IdP完成认证
验证是否成功登录到DB Console

Part 3: SQL/Cluster SSO (JWT)

第三部分：SQL/集群SSO（JWT）

SQL/Cluster SSO uses JWT tokens from an IdP to authenticate SQL client connections. This is separate from DB Console SSO (Part 2) — it authenticates

cockroach sql

and application connections, not the web UI.

SQL/集群SSO使用来自IdP的JWT令牌对SQL客户端连接进行认证。这与DB Console SSO（第二部分）是分开的——它认证

cockroach sql

和应用连接，而非网页UI。

3.1 Check Current JWT SSO Configuration

3.1 检查当前JWT SSO配置

sql

SHOW CLUSTER SETTING server.jwt_authentication.enabled;
SHOW CLUSTER SETTING server.jwt_authentication.issuers.configuration;
SHOW CLUSTER SETTING server.jwt_authentication.jwks_auto_fetch.enabled;

sql

SHOW CLUSTER SETTING server.jwt_authentication.enabled;
SHOW CLUSTER SETTING server.jwt_authentication.issuers.configuration;
SHOW CLUSTER SETTING server.jwt_authentication.jwks_auto_fetch.enabled;

3.2 Configure JWT Authentication

3.2 配置JWT认证

sql

-- Enable JWT authentication for SQL connections
SET CLUSTER SETTING server.jwt_authentication.enabled = true;

-- Configure the JWT issuer(s)
-- Format: JSON object with issuer URL and audience
SET CLUSTER SETTING server.jwt_authentication.issuers.configuration = '{
  "issuers": [
    {
      "issuer": "https://your-idp.example.com",
      "audience": "<client-id>"
    }
  ]
}';

-- Enable automatic JWKS fetching (recommended)
SET CLUSTER SETTING server.jwt_authentication.jwks_auto_fetch.enabled = true;

-- Configure the claim used for SQL username mapping
SET CLUSTER SETTING server.jwt_authentication.claim = 'email';

See configuration steps reference for IdP-specific JWT configuration (Okta, Azure AD, Google).

sql

-- 为SQL连接启用JWT认证
SET CLUSTER SETTING server.jwt_authentication.enabled = true;

-- 配置JWT发行方
-- 格式：包含发行方URL和受众的JSON对象
SET CLUSTER SETTING server.jwt_authentication.issuers.configuration = '{
  "issuers": [
    {
      "issuer": "https://your-idp.example.com",
      "audience": "<client-id>"
    }
  ]
}';

-- 启用自动JWKS获取（推荐）
SET CLUSTER SETTING server.jwt_authentication.jwks_auto_fetch.enabled = true;

-- 配置用于SQL用户名映射的声明
SET CLUSTER SETTING server.jwt_authentication.claim = 'email';

有关IdP特定的JWT配置（Okta、Azure AD、Google），请参阅配置步骤参考。

3.3 Configure Identity Mapping

3.3 配置身份映射

Map IdP identities (e.g., email addresses) to SQL usernames:

sql

-- Map user@example.com -> user (strip domain)
SET CLUSTER SETTING server.identity_map.configuration = '
crdb /^(.*)@example\.com$ \1
';

将IdP身份（例如邮箱地址）映射到SQL用户名：

sql

-- 将user@example.com映射为user（去除域名）
SET CLUSTER SETTING server.identity_map.configuration = '
crdb /^(.*)@example\.com$ \1
';

3.4 Enable Auto User Provisioning (Optional)

3.4 启用自动用户配置（可选）

Auto-provision SQL users when they first authenticate via JWT:

sql

SET CLUSTER SETTING security.provisioning.jwt.enabled = true;

When enabled, a SQL user is automatically created for authenticated JWT users who do not yet have an account.

当用户首次通过JWT认证时自动创建SQL用户：

sql

SET CLUSTER SETTING security.provisioning.jwt.enabled = true;

启用后，对于尚未拥有账户的已认证JWT用户，会自动创建一个SQL用户。

3.5 Test SQL/Cluster SSO

3.5 测试SQL/集群SSO

bash

undefined

bash

undefined

Obtain a JWT token from your IdP (method varies by IdP)

从你的IdP获取JWT令牌（方法因IdP而异）

Then connect using the token as the password with JWT auth enabled

然后使用令牌作为密码，启用JWT认证进行连接

cockroach sql --url "postgresql://<username>@<cluster-host>:26257/defaultdb?sslmode=verify-full&options=--crdb:jwt_auth_enabled=true" --external-io-implicit-credentials


The JWT token is passed as the password. The `--crdb:jwt_auth_enabled=true` connection option tells CockroachDB to treat the password as a JWT token.

```sql
-- Verify the connection
SELECT current_user();

cockroach sql --url "postgresql://<username>@<cluster-host>:26257/defaultdb?sslmode=verify-full&options=--crdb:jwt_auth_enabled=true" --external-io-implicit-credentials


JWT令牌作为密码传递。`--crdb:jwt_auth_enabled=true`连接选项告知CockroachDB将密码视为JWT令牌。

```sql
-- 验证连接
SELECT current_user();

Part 4: LDAP/AD Authentication

第四部分：LDAP/AD认证

LDAP/AD authentication validates SQL credentials directly against an LDAP directory (Active Directory or OpenLDAP). Self-hosted only — not available on CockroachDB Cloud.

WARNING — HBA first-match-wins: HBA rules are evaluated top-to-bottom. The first matching rule is used. A rule like
host all all all ldap ...
matches ALL users from ALL addresses and will prevent password fallback for any user. Always scope LDAP rules to specific users or roles to avoid locking out admin accounts.

LDAP/AD认证直接针对LDAP目录（Active Directory或OpenLDAP）验证SQL凭证。仅支持自托管集群——CockroachDB Cloud不支持。

警告——HBA规则匹配顺序： HBA规则从上到下评估，第一个匹配的规则生效。类似
host all all all ldap ...
的规则会匹配所有地址的所有用户，并会阻止任何用户使用密码 fallback。始终将LDAP规则限定为特定用户或角色，以避免锁定管理员账户。

4.1 Check Current HBA Configuration

4.1 检查当前HBA配置

sql

SHOW CLUSTER SETTING server.host_based_authentication.configuration;

sql

SHOW CLUSTER SETTING server.host_based_authentication.configuration;

4.2 Configure LDAP Authentication via HBA

4.2 通过HBA配置LDAP认证

LDAP authentication is configured through HBA (Host-Based Authentication) rules. Always scope LDAP rules to specific databases or users — never use

host all all all ldap

sql

-- Configure HBA for LDAP authentication scoped to specific users
-- The 'root' user and other admin users keep password auth
SET CLUSTER SETTING server.host_based_authentication.configuration = '
host all root all password
host all admin_user all password
host all all all ldap "ldapserver=ldap.example.com" "ldapport=389" "ldapbasedn=dc=example,dc=com" "ldapsearchattribute=uid" "ldapsearchfilter=(objectClass=inetOrgPerson)" "ldapbinddn=cn=readonly,dc=example,dc=com" "ldapbindpasswd=<bind-password>"
host all all all password
';

Key LDAP HBA parameters:

```
ldapserver
```
— LDAP server hostname
```
ldapport
```
— LDAP server port (389 for LDAP, 636 for LDAPS)
```
ldapbasedn
```
— Base DN for user search
```
ldapsearchattribute
```
— Attribute matching the SQL username (e.g.,
```
uid
```
for OpenLDAP,
```
sAMAccountName
```
for AD)
```
ldapsearchfilter
```
— Required. LDAP filter to narrow the user search (e.g.,
```
(objectClass=inetOrgPerson)
```
)
```
ldapbinddn
```
— DN of the service account used for LDAP bind/search
```
ldapbindpasswd
```
— Password for the bind DN service account

Important: Each HBA option must be quoted as
"key=value"
(the entire key=value pair in one set of quotes).

See configuration steps reference for Active Directory, OpenLDAP, group mapping, and LDAPS examples.

LDAP认证通过HBA（基于主机的认证）规则进行配置。始终将LDAP规则限定为特定数据库或用户——切勿使用

host all all all ldap

。

sql

-- 配置针对特定用户的LDAP认证HBA规则
-- 'root'用户和其他管理员用户保留密码认证
SET CLUSTER SETTING server.host_based_authentication.configuration = '
host all root all password
host all admin_user all password
host all all all ldap "ldapserver=ldap.example.com" "ldapport=389" "ldapbasedn=dc=example,dc=com" "ldapsearchattribute=uid" "ldapsearchfilter=(objectClass=inetOrgPerson)" "ldapbinddn=cn=readonly,dc=example,dc=com" "ldapbindpasswd=<bind-password>"
host all all all password
';

关键LDAP HBA参数：

```
ldapserver
```
— LDAP服务器主机名
```
ldapport
```
— LDAP服务器端口（LDAP为389，LDAPS为636）
```
ldapbasedn
```
— 用户搜索的基础DN
```
ldapsearchattribute
```
— 匹配SQL用户名的属性（例如，OpenLDAP为
```
uid
```
，AD为
```
sAMAccountName
```
）
```
ldapsearchfilter
```
— 必填项。用于缩小用户搜索范围的LDAP过滤器（例如
```
(objectClass=inetOrgPerson)
```
）
```
ldapbinddn
```
— 用于LDAP绑定/搜索的服务账户DN
```
ldapbindpasswd
```
— 绑定DN服务账户的密码

重要提示： 每个HBA选项必须用
"key=value"
包裹（整个键值对放在一组引号中）。

有关Active Directory、OpenLDAP、群组映射和LDAPS示例，请参阅配置步骤参考。

4.3 Use LDAPS (TLS) for Production

4.3 生产环境使用LDAPS（TLS）

For production environments, always use LDAPS (LDAP over TLS on port 636) to encrypt credentials in transit. Do NOT use

ldaptls=1

— this option is not supported. Instead, use port 636 and configure the custom CA certificate:

sql

-- Configure the LDAP CA certificate for TLS verification
SET CLUSTER SETTING server.ldap_authentication.domain.custom_ca = '-----BEGIN CERTIFICATE-----
<your-ldap-ca-certificate-pem>
-----END CERTIFICATE-----';

-- Set HBA to use LDAPS (port 636)
SET CLUSTER SETTING server.host_based_authentication.configuration = '
host all root all password
host all admin_user all password
host all all all ldap "ldapserver=ldap.example.com" "ldapport=636" "ldapbasedn=dc=example,dc=com" "ldapsearchattribute=uid" "ldapsearchfilter=(objectClass=inetOrgPerson)" "ldapbinddn=cn=readonly,dc=example,dc=com" "ldapbindpasswd=<bind-password>"
host all all all password
';

对于生产环境，始终使用LDAPS（基于TLS的LDAP，端口636）以加密传输中的凭证。请勿使用

ldaptls=1

——此选项不受支持。相反，使用端口636并配置自定义CA证书：

sql

-- 配置用于TLS验证的LDAP CA证书
SET CLUSTER SETTING server.ldap_authentication.domain.custom_ca = '-----BEGIN CERTIFICATE-----
<your-ldap-ca-certificate-pem>
-----END CERTIFICATE-----';

-- 设置HBA使用LDAPS（端口636）
SET CLUSTER SETTING server.host_based_authentication.configuration = '
host all root all password
host all admin_user all password
host all all all ldap "ldapserver=ldap.example.com" "ldapport=636" "ldapbasedn=dc=example,dc=com" "ldapsearchattribute=uid" "ldapsearchfilter=(objectClass=inetOrgPerson)" "ldapbinddn=cn=readonly,dc=example,dc=com" "ldapbindpasswd=<bind-password>"
host all all all password
';

4.4 Configure LDAP Group-to-Role Mapping

4.4 配置LDAP群组到角色的映射

LDAP group mapping assigns CockroachDB SQL roles based on LDAP/AD group membership. Group mapping is configured via the

ldapgrouplistfilter

HBA parameter — not via cluster settings.

sql

-- HBA with group-to-role mapping
SET CLUSTER SETTING server.host_based_authentication.configuration = '
host all root all password
host all admin_user all password
host all all all ldap "ldapserver=ad.corp.example.com" "ldapport=636" "ldapbasedn=ou=Users,dc=corp,dc=example,dc=com" "ldapsearchattribute=sAMAccountName" "ldapsearchfilter=(objectClass=user)" "ldapbinddn=cn=crdb-svc,ou=ServiceAccounts,dc=corp,dc=example,dc=com" "ldapbindpasswd=<service-account-password>" "ldapgrouplistfilter=(&(objectClass=group)(member={{.User.DN}}))"
host all all all password
';

The LDAP group CN is mapped directly to a SQL role name. The role must already exist in CockroachDB:

sql

CREATE ROLE IF NOT EXISTS db_admins;
GRANT admin TO db_admins;

LDAP群组映射根据LDAP/AD群组成员身份分配CockroachDB SQL角色。群组映射通过

ldapgrouplistfilter

HBA参数配置——而非集群设置。

sql

-- 带有群组到角色映射的HBA规则
SET CLUSTER SETTING server.host_based_authentication.configuration = '
host all root all password
host all admin_user all password
host all all all ldap "ldapserver=ad.corp.example.com" "ldapport=636" "ldapbasedn=ou=Users,dc=corp,dc=example,dc=com" "ldapsearchattribute=sAMAccountName" "ldapsearchfilter=(objectClass=user)" "ldapbinddn=cn=crdb-svc,ou=ServiceAccounts,dc=corp,dc=example,dc=com" "ldapbindpasswd=<service-account-password>" "ldapgrouplistfilter=(&(objectClass=group)(member={{.User.DN}}))"
host all all all password
';

LDAP群组CN直接映射到SQL角色名称。该角色必须已在CockroachDB中存在：

sql

CREATE ROLE IF NOT EXISTS db_admins;
GRANT admin TO db_admins;

4.5 Enable Auto User Provisioning (Optional)

4.5 启用自动用户配置（可选）

Auto-provision SQL users when they first authenticate via LDAP:

sql

SET CLUSTER SETTING security.provisioning.ldap.enabled = true;

当用户首次通过LDAP认证时自动创建SQL用户：

sql

SET CLUSTER SETTING security.provisioning.ldap.enabled = true;

4.6 Test LDAP Authentication

4.6 测试LDAP认证

bash

undefined

bash

undefined

Test with an LDAP user credential

使用LDAP用户凭证进行测试

cockroach sql --url "postgresql://<ldap-username>:<ldap-password>@<cluster-host>:26257/defaultdb?sslmode=verify-full"


```sql
-- Verify the user connected successfully
SELECT current_user();

-- If group mapping is enabled, verify role grants
SHOW GRANTS FOR <ldap-username>;

cockroach sql --url "postgresql://<ldap-username>:<ldap-password>@<cluster-host>:26257/defaultdb?sslmode=verify-full"


```sql
-- 验证用户是否成功连接
SELECT current_user();

-- 如果启用了群组映射，验证角色授权
SHOW GRANTS FOR <ldap-username>;

Part 5: SCIM 2.0 on Cloud Console

第五部分：Cloud Console上的SCIM 2.0

Skip this section if the user does not need automated user provisioning or does not have an Enterprise plan.

SCIM 2.0 enables automated user provisioning and deprovisioning on the Cloud Console, syncing user lifecycle with your IdP.

如果用户不需要自动化用户配置或没有企业版计划，请跳过此部分。

SCIM 2.0启用Cloud Console上的自动化用户配置与取消配置，将用户生命周期与你的IdP同步。

5.1 Check Current SCIM Configuration

5.1 检查当前SCIM配置

Check SCIM status in the Cloud Console UI (Organization Settings > Authentication > SCIM). The

ccloud

CLI does not currently expose SCIM configuration commands.

在Cloud Console UI中查看SCIM状态（组织设置 > 认证 > SCIM）。

ccloud

CLI目前未提供SCIM配置命令。

5.2 Enable SCIM Endpoint

5.2 启用SCIM端点

Navigate to Organization Settings > Authentication > SCIM in the Cloud Console
Enable the SCIM 2.0 endpoint
Copy the SCIM base URL and Bearer token for IdP configuration

导航至Cloud Console中的组织设置 > 认证 > SCIM
启用SCIM 2.0端点
复制SCIM基础URL和Bearer令牌用于IdP配置

5.3 Configure IdP for SCIM

5.3 为SCIM配置IdP

In your IdP (Okta, Azure AD, etc.):

Add a new SCIM provisioning integration
Enter the SCIM base URL from step 5.2
Enter the Bearer token for authentication
Configure provisioning actions:
- Create users — New IdP users are created in CockroachDB Cloud
- Update user attributes — Name and email changes sync
- Deactivate users — Removed IdP users are deactivated in CockroachDB Cloud
Assign users or groups to the SCIM integration

See configuration steps reference for IdP-specific SCIM setup.

在你的IdP（Okta、Azure AD等）中：

添加一个新的SCIM配置集成
输入步骤5.2中的SCIM基础URL
输入用于认证的Bearer令牌
配置配置操作：
- 创建用户——新的IdP用户将在CockroachDB Cloud中创建
- 更新用户属性——姓名和邮箱变更将同步
- 停用用户——从IdP中移除的用户将在CockroachDB Cloud中被停用
为SCIM集成分配用户或群组

有关IdP特定的SCIM设置，请参阅配置步骤参考。

5.4 Verify SCIM Provisioning

5.4 验证SCIM配置

Create a test user in your IdP and assign them to the SCIM integration
Check the Cloud Console — the user should appear within a few minutes
Remove the test user from the IdP SCIM assignment
Verify the user is deactivated in the Cloud Console

在你的IdP中创建一个测试用户，并将其分配给SCIM集成
检查Cloud Console——该用户应在几分钟内出现
从IdP的SCIM分配中移除测试用户
验证该用户在Cloud Console中已被停用

Troubleshooting

故障排除

SSO Lockout Recovery

SSO锁定恢复

If SSO is enforced and the IdP becomes unavailable or misconfigured:

Use the break-glass account: Log in with the pre-configured password-based admin account
Disable SSO enforcement: Navigate to Organization Settings > Authentication and disable "Require SSO"
If no break-glass account exists: Contact CockroachDB Cloud support to disable SSO enforcement for your organization

Prevention: Always create and test a break-glass admin account before enforcing SSO.

如果强制启用了SSO且IdP不可用或配置错误：

使用应急管理员账户： 使用预先配置的基于密码的管理员账户登录
禁用SSO强制： 导航至组织设置 > 认证，禁用“要求SSO”
如果没有应急管理员账户： 联系CockroachDB Cloud支持，为你的组织禁用SSO强制

预防措施： 在强制启用SSO前，始终创建并测试应急管理员账户。

JWT Authentication Errors

JWT认证错误

"ERROR: JWT authentication: invalid token"

Verify the JWT issuer configuration in

server.jwt_authentication.issuers.configuration

Check that the JWT token has not expired

Verify that

server.jwt_authentication.jwks_auto_fetch.enabled

true

Inspect the token contents:

echo '<token>' | cut -d. -f2 | base64 -d | jq .

Verify the
```
aud
```
(audience) claim in the token matches the configured audience

"ERROR: JWT authentication: issuer not configured"

The issuer URL in the token does not match

server.jwt_authentication.issuers.configuration

Re-check the issuer URL matches exactly (trailing slashes matter)

"ERROR: JWT authentication: invalid token"

验证

server.jwt_authentication.issuers.configuration

中的JWT发行方配置

检查JWT令牌是否已过期

验证

server.jwt_authentication.jwks_auto_fetch.enabled

是否为

true

检查令牌内容：

echo '<token>' | cut -d. -f2 | base64 -d | jq .

验证令牌中的
```
aud
```
（受众）声明与配置的受众匹配

"ERROR: JWT authentication: issuer not configured"

令牌中的发行方URL与

server.jwt_authentication.issuers.configuration

不匹配

重新检查发行方URL是否完全匹配（末尾的斜杠很重要）

DB Console OIDC Errors

DB Console OIDC错误

"OIDC: unable to match principal"

The
```
server.oidc_authentication.principal_regex
```
does not match the claim value from the token
Test the regex against the actual claim value:

sql

SHOW CLUSTER SETTING server.oidc_authentication.principal_regex;
-- Common patterns:
-- Email -> username (strip domain): '^([^@]+)'
-- Full email as username: '^(.+)$'

Complex regex not accepted:

CockroachDB uses Go's
```
regexp
```
syntax (no lookaheads/lookbehinds)
Test at https://regex101.com/ with the "Golang" flavor

"OIDC: unable to match principal"

server.oidc_authentication.principal_regex

与令牌中的声明值不匹配

针对实际声明值测试正则表达式：

sql

SHOW CLUSTER SETTING server.oidc_authentication.principal_regex;
-- 常见模式：
-- 邮箱转用户名（去除域名）：'^([^@]+)'
-- 完整邮箱作为用户名：'^(.+)$'

复杂正则表达式不被接受：

CockroachDB使用Go的
```
regexp
```
语法（不支持正向/反向预查）
在https://regex101.com/上使用“Golang”风格进行测试

LDAP Authentication Errors

LDAP认证错误

"ERROR: LDAP authentication: unable to bind"

Verify
```
ldapbinddn
```
and
```
ldapbindpasswd
```
are correct
Check that the bind service account has read access to the user search base

Test with:

ldapsearch -H ldap://ldap.example.com -D "cn=readonly,dc=example,dc=com" -W -b "dc=example,dc=com" "(uid=testuser)"

"ERROR: LDAP authentication: user not found"

Verify
```
ldapbasedn
```
includes the OU where the user resides
Check that
```
ldapsearchattribute
```
matches the login attribute (
```
uid
```
for OpenLDAP,
```
sAMAccountName
```
for AD)
Check that
ldapsearchfilter
is set — without it, LDAP user search will fail

LDAP lockout — all users blocked

This happens when an overly broad HBA rule like
```
host all all all ldap ...
```
is the first rule and the LDAP server is unreachable, or the LDAP config is wrong
Fix: Ensure
```
root
```
and admin users have explicit
```
password
```
rules BEFORE any
```
ldap
```
rule
Recovery: Connect as
```
root
```
using client certificate auth (bypasses HBA) and fix the HBA configuration

LDAP server unreachable

Verify network connectivity from CockroachDB nodes to the LDAP server
For LDAPS, ensure the CA certificate is configured via
```
server.ldap_authentication.domain.custom_ca
```
Check firewall rules for port 389 (LDAP) or 636 (LDAPS)

"ERROR: LDAP authentication: unable to bind"

验证
```
ldapbinddn
```
和
```
ldapbindpasswd
```
是否正确
检查绑定服务账户是否对用户搜索基础具有读取权限

使用以下命令测试：

ldapsearch -H ldap://ldap.example.com -D "cn=readonly,dc=example,dc=com" -W -b "dc=example,dc=com" "(uid=testuser)"

"ERROR: LDAP authentication: user not found"

验证
```
ldapbasedn
```
包含用户所在的OU
检查
```
ldapsearchattribute
```
是否与登录属性匹配（OpenLDAP为
```
uid
```
，AD为
```
sAMAccountName
```
）
检查是否设置了
ldapsearchfilter
——如果没有，LDAP用户搜索可能会静默失败或返回无结果

LDAP锁定——所有用户被阻止

当过于宽泛的HBA规则（如
```
host all all all ldap ...
```
）作为第一条规则，且LDAP服务器不可用或LDAP配置错误时，会发生这种情况
修复方法： 确保
```
root
```
和管理员用户的密码规则在任何
```
ldap
```
规则之前
恢复方法： 使用客户端证书认证以
```
root
```
身份连接（绕过HBA），然后修复HBA配置

LDAP服务器不可达

验证CockroachDB节点与LDAP服务器之间的网络连通性

对于LDAPS，确保通过

server.ldap_authentication.domain.custom_ca

配置了CA证书

检查端口389（LDAP）或636（LDAPS）的防火墙规则

Azure AD / Entra ID Specific Issues

Azure AD / Entra ID特定问题

Token audience mismatch:

Azure AD tokens include an
```
aud
```
claim that must match the configured audience

For JWT SQL SSO: ensure the audience in

server.jwt_authentication.issuers.configuration

matches

For DB Console OIDC: ensure
```
server.oidc_authentication.client_id
```
matches

Multi-tenant vs single-tenant:

For single-tenant: use

https://login.microsoftonline.com/<tenant-id>/v2.0

as the issuer

For multi-tenant: use
```
https://login.microsoftonline.com/common/v2.0
```
(requires additional validation)

令牌受众不匹配：

Azure AD令牌包含
```
aud
```
声明，必须与配置的受众匹配

对于JWT SQL SSO：确保

server.jwt_authentication.issuers.configuration

中的受众匹配

对于DB Console OIDC：确保
```
server.oidc_authentication.client_id
```
匹配

多租户与单租户：

单租户：使用

https://login.microsoftonline.com/<tenant-id>/v2.0

作为发行方

多租户：使用

https://login.microsoftonline.com/common/v2.0

（需要额外验证）

Missing ldapsearchfilter

缺失ldapsearchfilter

If LDAP authentication fails with "user not found" errors but the user exists in the directory, check whether

ldapsearchfilter

is included in the HBA rule. This parameter is required and without it the LDAP search may fail silently or return no results.

如果LDAP认证失败并显示“用户未找到”错误，但用户在目录中存在，请检查HBA规则中是否包含

ldapsearchfilter

。此参数是必填项，如果没有它，LDAP搜索可能会静默失败或返回无结果。

Safety Considerations

安全注意事项

SSO misconfiguration can lock out users. If SSO is enforced and the IdP is down or misconfigured, no one can log in.

Mitigation — Break-glass account:

Before enforcing SSO, ensure at least one organization admin account uses password authentication
Document the break-glass account credentials in a secure vault (e.g., 1Password, HashiCorp Vault)
Test the break-glass account periodically to ensure it still works
For SQL SSO (JWT or LDAP), keep at least one SQL user with password authentication as a fallback

HBA first-match-wins — lockout risk: HBA rules are evaluated top-to-bottom. The first matching rule wins. This means:

```
host all all all ldap ...
```
as the first rule will force ALL users through LDAP — including
```
root
```
If the LDAP server goes down, ALL authentication fails (including admin access)
Always place password rules for
root
and admin users BEFORE LDAP rules

Example of a dangerous configuration:

undefined

SSO配置错误可能导致用户锁定。 如果强制启用了SSO且IdP宕机或配置错误，将无人能登录。

缓解措施——应急管理员账户：

在强制启用SSO前，确保至少有一个组织管理员账户使用密码认证
将应急管理员账户的凭证存储在安全的密码管理器中（如1Password、HashiCorp Vault）
定期测试应急管理员账户，确保其仍可正常使用
对于SQL SSO（JWT或LDAP），至少保留一个使用密码认证的SQL用户作为备用

HBA规则匹配顺序——锁定风险： HBA规则从上到下评估，第一个匹配的规则生效。这意味着：

作为第一条规则的
```
host all all all ldap ...
```
会强制所有用户通过LDAP认证——包括
```
root
```
如果LDAP服务器宕机，所有认证都会失败（包括管理员访问）
始终将
root
和管理员用户的密码规则放在LDAP规则之前

危险配置示例：

undefined

DANGEROUS — locks out root if LDAP is unavailable

危险——如果LDAP不可用，将锁定root用户

host all all all ldap ... host all all all password


Safe configuration:

host all all all ldap ... host all all all password


安全配置示例：

SAFE — root and admins always have password fallback

安全——root和管理员始终有密码备用

host all root all password host all admin_user all password host all all all ldap ... host all all all password


**SCIM risks:**
- **Mass deprovisioning:** If the IdP SCIM assignment is accidentally removed, all provisioned users may be deactivated. Start with a small group before enabling for the full organization.
- **Attribute mapping errors:** Incorrect attribute mapping can create users with wrong names or emails. Test with a single user first.

**LDAP/AD risks:**
- **LDAP server unavailability blocks authentication:** If the LDAP server is down, users authenticating via LDAP cannot connect. Always keep password-based fallback HBA rules for admin users.
- **Use a restricted service account for LDAP bind:** The `ldapbinddn` account should have minimal read-only permissions. Never use a domain admin account.
- **Credential exposure without LDAPS:** LDAP without TLS transmits passwords in cleartext. Always use LDAPS (port 636) with `server.ldap_authentication.domain.custom_ca` in production.

host all root all password host all admin_user all password host all all all ldap ... host all all all password


**SCIM风险：**
- **大规模取消配置：** 如果意外移除了IdP的SCIM分配，所有已配置的用户可能会被停用。在为整个组织启用前，先从小规模群组开始。
- **属性映射错误：** 不正确的属性映射可能会创建姓名或邮箱错误的用户。先使用单个用户进行测试。

**LDAP/AD风险：**
- **LDAP服务器不可用会阻止认证：** 如果LDAP服务器宕机，通过LDAP认证的用户无法连接。始终为管理员用户保留基于密码的备用HBA规则。
- **使用受限服务账户进行LDAP绑定：** `ldapbinddn`账户应具有最小的只读权限。切勿使用域管理员账户。
- **不使用LDAPS会导致凭证泄露：** 未使用TLS的LDAP会以明文传输密码。生产环境中始终使用LDAPS（端口636）并配置`server.ldap_authentication.domain.custom_ca`。

Rollback

回滚

Disable Cloud Console SSO Enforcement

禁用Cloud Console SSO强制

Log in with the break-glass admin account
Navigate to Organization Settings > Authentication
Disable Require SSO to re-enable password login

使用应急管理员账户登录
导航至组织设置 > 认证
禁用要求SSO以重新启用密码登录

Disable DB Console SSO (OIDC)

禁用DB Console SSO（OIDC）

sql

SET CLUSTER SETTING server.oidc_authentication.enabled = false;

sql

SET CLUSTER SETTING server.oidc_authentication.enabled = false;

Disable SQL/Cluster SSO (JWT)

禁用SQL/集群SSO（JWT）

sql

SET CLUSTER SETTING server.jwt_authentication.enabled = false;

sql

SET CLUSTER SETTING server.jwt_authentication.enabled = false;

Disable LDAP/AD Authentication

禁用LDAP/AD认证

sql

-- Revert HBA to password-only authentication
SET CLUSTER SETTING server.host_based_authentication.configuration = '
host all all all password
';

sql

-- 将HBA恢复为仅密码认证
SET CLUSTER SETTING server.host_based_authentication.configuration = '
host all all all password
';

Disable Auto User Provisioning

禁用自动用户配置

sql

-- Disable JWT auto-provisioning
SET CLUSTER SETTING security.provisioning.jwt.enabled = false;

-- Disable LDAP auto-provisioning
SET CLUSTER SETTING security.provisioning.ldap.enabled = false;

sql

-- 禁用JWT自动配置
SET CLUSTER SETTING security.provisioning.jwt.enabled = false;

-- 禁用LDAP自动配置
SET CLUSTER SETTING security.provisioning.ldap.enabled = false;

Disable SCIM

禁用SCIM

Navigate to Organization Settings > Authentication > SCIM
Disable the SCIM endpoint
Remove the SCIM integration from your IdP

导航至组织设置 > 认证 > SCIM
禁用SCIM端点
从你的IdP中移除SCIM集成

Remove Identity Mapping

移除身份映射

sql

SET CLUSTER SETTING server.identity_map.configuration = '';

sql

SET CLUSTER SETTING server.identity_map.configuration = '';

References

参考资料

Skill references:

IdP configuration steps

Related skills:

auditing-cloud-cluster-security — Run a full security posture audit
enforcing-password-policies — Strengthen password policies as an alternative to SSO
managing-tls-certificates — Certificate-based authentication as an alternative to SSO

Official CockroachDB Documentation:

技能参考：

IdP配置步骤

相关技能：

auditing-cloud-cluster-security — 运行完整的安全态势审计
enforcing-password-policies — 加强密码策略，作为SSO的替代方案
managing-tls-certificates — 基于证书的认证，作为SSO的替代方案

官方CockroachDB文档：