Redis Cloud supports both IdP-initiated and SP-initiated single sign-on (SSO) with SAML (Security Assertion Markup Language).

You cannot use SCIM (System for Cross-domain Identity Management) to provision Redis Cloud users. However, Redis Cloud supports just-in-time (JIT) user provisioning, which means Redis Cloud automatically creates a user account the first time a new user signs in with SAML SSO.

SAML SSO overview

When SAML SSO is enabled, the identity provider (IdP) admin handles SAML user management instead of the Redis Cloud account owner.

After you activate SAML SSO for a Redis Cloud account, all existing local users for the account, except for the user that set up SAML SSO, are converted to SAML users and are required to use SAML SSO to sign in. Before they can sign in to Redis Cloud, the identity provider admin needs to set up these users on the IdP side and configure the redisAccountMapping attribute to map them to the appropriate Redis Cloud accounts and roles.

IdP-initiated SSO

With IdP-initiated single sign-on, you can select the Redis Cloud application after you sign in to your identity provider (IdP). This redirects you to the Redis Cloud admin console and signs you in to your SAML user account.

SP-initiated SSO

You can also initiate single sign-on from the Redis Cloud admin console. This process is known as service provider (SP)-initiated single sign-on.

  1. From the Redis Cloud admin console’s sign in screen, select the SSO button:

    Sign in with SSO button
  2. Enter the email address associated with your SAML user account.

  3. Select the Login button.

    • If you already have an active SSO session with your identity provider, this signs you in to your SAML user account.

    • Otherwise, the SSO flow redirects you to your identity provider’s sign in screen.

      1. Enter your IdP user credentials to sign in.

      2. This redirects you back to the Redis Cloud admin console and automatically signs in to your SAML user account.

Multi-factor authentication

The account owner remains a local user and should set up multi-factor authentication (MFA) to help secure their account. After SAML activation, the account owner can set up additional local bypass users with MFA enabled.

If MFA enforcement is enabled, note that Redis Cloud does not enforce MFA for SAML users since the identity provider handles MFA management and enforcement.

Set up SAML SSO

To set up SAML single sign-on for a Redis Cloud account:

  1. Set up a SAML app to integrate Redis Cloud with your identity provider.

  2. Configure SAML in Redis Cloud.

  3. Download service provider metadata and upload it to your identity provider.

  4. Activate SAML SSO.

Set up SAML app

First, set up a SAML app to integrate Redis Cloud with your identity provider:

  1. Sign in to your identity provider’s admin console.

  2. Create or add a SAML integration app for the service provider Redis Cloud.

  3. Set up your SAML service provider app so the SAML assertion contains the following attributes:

    Attribute name
    (case-sensitive)
    Description
    FirstName User’s first name
    LastName User’s last name
    Email User’s email address (used as the username in the Redis Cloud console)
    redisAccountMapping Maps the user to multiple Redis Cloud accounts and roles (roles must be lowercase)

    For redisAccountMapping, you can add the same user to multiple SAML-enabled accounts with either:

    • A single string that contains a comma-separated list of account/role pairs

      <saml2:Attribute Name="redisAccountMapping" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
          <saml2:AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
              12345=owner,54321=manager
          </saml2:AttributeValue>
      </saml2:Attribute>
      
    • Multiple strings, where each represents a single account/role pair

      <saml2:Attribute Name="redisAccountMapping" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
          <saml2:AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
              12345=owner
          </saml2:AttributeValue>
          <saml2:AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
              54321=manager
          </saml2:AttributeValue>
      </saml2:Attribute>
      
    Note:
    To confirm the identity provider’s SAML assertions contain the required attributes, you can use a SAML-tracer web developer tool to inspect them.
  4. Set up any additional configuration required by your identity provider to ensure you can configure the redisAccountMapping attribute for SAML users.

    If your identity provider lets you configure custom attributes with workflows or group rules, you can set up automation to configure the redisAccountMapping field automatically instead of manually.

Configure SAML in Redis Cloud

After you set up the SAML integration app and create a SAML user in your identity provider, you need to configure the Redis Cloud account with some identity provider metadata:

  1. Sign in to Redis Cloud with the email address associated with the SAML user you set up with your identity provider.

  2. Select Access Management from the admin console menu.

  3. Select Single Sign-On.

  4. Select the Setup SSO button:

    Setup SSO button
  5. You need the following metadata values from your identity provider:

    Setting Description
    Issuer (IdP entity ID) The unique entity ID for the identity provider
    IdP server URL The identity provider’s HTTPS URL for SAML SSO
    Single logout URL The URL used to sign out of the identity provider and connected apps (optional)
    Assertion signing certificate Public SHA-256 certificate used to validate SAML assertions from the identity provider

    To find these metadata values, see your identity provider’s documentation.

  6. From the SAML screen of the Redis Cloud admin console, configure the Identity Provider metadata settings.

    Email domain binding should match the email domain that SAML users will use to sign in from the Redis Cloud admin console (SP-initiated SSO).

    SAML Single Sign-On configuration screen.
  7. Select the Enable button.

  8. From the SAML activation dialog box, select Continue.

Download service provider metadata

Next, you need to download the service provider metadata for Redis Cloud and use it to finish configuring the SAML integration app for your identity provider:

  1. Select the Download button to download the service provider metadata in XML format.

  2. Sign in to your identity provider’s admin console.

  3. Configure the Redis Cloud service provider app with the downloaded XML.

    • Some identity providers let you upload the XML file directly.

    • Others require you to manually configure the service provider app with specific metadata fields, such as:

      XML attribute Value Description
      EntityDescriptor’s entityID https://auth.redis.com/saml2/service-provider/<ID> Unique URL that identifies the Redis Cloud service provider
      AssertionConsumerService’s Location https://auth.redis.com/sso/saml2/<ID> The service provider endpoint where the identity provider sends a SAML assertion that authenticates a user
    • To use IdP-initiated SSO with certain identity providers, you also need to set the RelayState parameter to the following URL:

      https://app.redislabs.com/#/login/?idpId=<ID>
      
      Note:
      Replace <ID> so it matches the AssertionConsumerService Location URL’s ID.

    To learn more about how to configure service provider apps, see your identity provider’s documentation.

Activate SAML SSO

After you finish the required SAML SSO configuration between your identity provider and Redis Cloud account, you can test and activate SAML SSO.

All users associated with the account, excluding the local user you used to set up SAML SSO, are converted to SAML users on successful activation. They can no longer sign in with their previous sign-in method and must use SAML SSO instead. However, you can add local bypass users after SAML SSO activation to allow access to the account in case of identity provider downtime or other issues with SAML SSO.

To activate SAML SSO:

  1. Sign out of any active SSO sessions with your identity provider.

  2. For Activate SAML integration, select the Activate button.

  3. From the Logout notification dialog, select Continue. This redirects you to your configured identity provider’s sign-in screen.

  4. Sign in with your identity provider.

  5. When redirected to the Redis Cloud sign-in screen, you can either:

    • Sign in with your local credentials as usual.

    • Select the SSO button and enter the email address associated with the SAML user configured in your identity provider:

      Sign in with SSO button

      This will convert your user to a SAML user in Redis Cloud, so do not use this method if you want your user account to remain a local bypass user.

    Note:
    If you see a SAML activation failed notification when redirected to the Redis Cloud sign-in screen, sign in with your local user credentials and review the SAML configuration for issues.

After you activate SAML SSO, add a few local bypass users from the Team tab. Local bypass users should set up MFA for additional security.

Update configuration

If you change certain metadata or configuration settings after you set up SAML SSO, such as the assertion signing certificate, remember to do the following:

  1. Update the SAML SSO configuration with the new values.

  2. Download the updated service provider metadata and use it to update the Redis Cloud service provider app.

After you set up SAML SSO for one account, you can link other accounts you own to the existing SAML configuration. This lets you use the same SAML configuration for SSO across multiple accounts.

To link other accounts to an existing SAML SSO configuration:

  1. Go to Access Management > Single Sign-On in the Redis Cloud admin console.

  2. Select the Edit button.

  3. For Account linking, select the checkboxes for the other accounts you want to link to SAML SSO.

    Link other accounts to the SAML configuration screen.
  4. Select Save.

  5. From the Link accounts dialog, select Continue to enable SAML SSO for the selected accounts.

Deactivate SAML SSO

Before you can deactivate SAML SSO for an account, you must sign in to the account as a local (non-SAML) user with the owner role assigned.

Deactivating SAML SSO for an account also removes any existing SAML-type users associated with the account.

To deactivate SAML SSO for a specific account:

  1. In the Redis Cloud admin console, select your name to display your available accounts.

  2. If the relevant account is not already selected, select it from the Switch account list.

  3. Go to Access Management > Single Sign-On.

  4. Select Deactivate SAML. This only deactivates SAML SSO for the current account. Other linked accounts continue to use this SAML SSO configuration.

  5. Select Deactivate to confirm deactivation:

    Deactivate SAML button

Deprovision SAML users

To deprovision SAML users upon deletion, the identity provider admin can set up a webhook to automatically make the appropriate Cloud API requests.

See the Cloud API Swagger UI for more information about how to manage users with API requests.