Home / Database SSO / SSO for Apache Cassandra
Wide-Column Database
CQL native protocol
Query Audit

SAML/OIDC SSO for Apache Cassandra Access

Apache Software Foundation

Add SAML/OIDC Single Sign-On to Apache Cassandra connections. Replace shared credentials with identity-based access. Full CQL audit trail with individual accountability.

How It Works
Overview

Why Apache Cassandra Needs Identity-Based Access

Apache Cassandra is a distributed NoSQL database used for high-availability, high-throughput workloads across industries like finance, healthcare, retail, and IoT. Cassandra clusters store billions of records across multiple data centers. Despite the scale and sensitivity of data, Cassandra access relies on internal authentication with shared credentials. OnePAM's database proxy adds SAML/OIDC authentication to Cassandra, providing identity-verified access and CQL command auditing without changing Cassandra configuration.

Database Security Risks

Cassandra Access Security Risks

Without identity-based database access, these risks threaten your data every day.

Shared database credentials across teams and environments
No audit trail for individual query activity
Static passwords stored in config files and environment variables
Inability to revoke access instantly when team members leave
Default port 9042 exposed without identity verification
The Challenge

Database Security Challenges

These are the risks organizations face with traditional database authentication.

Shared Credentials Across Data Centers

Cassandra roles are replicated across data centers. Shared credentials provide cluster-wide access with no individual identity.

No Native SSO

Cassandra supports internal and LDAP authentication but not SAML or OIDC for CQL connections.

Scale of Data Exposure

Cassandra clusters contain billions of records. Unauthorized access can expose massive datasets.

No CQL-Level Identity Auditing

Cassandra audit logs show the authenticated role but not the human identity behind each CQL query.

Complex Role Management

Cassandra RBAC requires managing roles across multiple data centers with manual synchronization.

Compliance Requirements

Regulatory frameworks require individual accountability for data access that shared credentials cannot provide.

Setup Guide

How OnePAM Adds SSO to Cassandra

Step-by-step guide to deploying identity-based database access.

1

Connect via OnePAM Proxy

Point your CQL client (cqlsh, DataStax DevCenter, application driver) to OnePAM's proxy.

OnePAM speaks CQL native protocol natively, compatible with all Cassandra clients.
2

Authenticate via Corporate IdP

OnePAM authenticates you via your corporate IdP with SAML/OIDC and MFA.

Corporate credentials replace shared Cassandra roles for human access.
3

Credential Injection

OnePAM retrieves Cassandra credentials from its vault and establishes the CQL session.

Users never handle Cassandra passwords. Credentials are scoped and rotatable.
4

CQL Logging with Identity

Every CQL query logged with corporate identity, data center, and session metadata.

Complete audit trail for regulatory compliance.
Key Benefits

Benefits of SSO for Cassandra

What changes when you deploy identity-based database access.

Individual Accountability

Every CQL query tied to a corporate identity across all data centers.

100% identity attribution

Zero Password Exposure

No Cassandra credentials shared with developers.

Zero credential exposure

Multi-DC Access Control

Different access policies for different Cassandra data centers.

Per-DC access control

MFA on Every Connection

Enforce MFA for all Cassandra connections.

MFA enforced

Instant Deprovisioning

Disable a user and Cassandra access stops across all data centers.

Instant revocation

Compliance-Ready Auditing

Identity-verified CQL logs for SOC 2, HIPAA, and PCI DSS.

Audit-ready
SSO Features

Database SSO Features

Every feature needed for enterprise-grade database authentication.

SAML 2.0 and OIDC authentication for Cassandra
Native CQL protocol support
Works with cqlsh, DataStax tools, and any CQL driver
Keyspace-level access control
Role mapping from IdP groups
Short-lived credentials from vault
Read-only vs read-write policies
Time-limited sessions
Multi-data-center policies
Just-in-time privilege elevation
Security

Security Features

Enterprise-grade security controls for database access.

Credential vaulting with AES-256 encryption
Automatic credential rotation
CQL-level audit logging
Data masking in logs
IP allowlist enforcement
TLS encryption for all connections
No direct Cassandra port exposure
Session timeout enforcement
Anomalous query detection
SIEM integration
Real-World Scenarios

Cassandra SSO Use Cases

Common scenarios where organizations deploy OnePAM Database SSO.

1
Data engineers accessing production Cassandra with individual identity
2
SOC 2 compliance for identity-verified CQL query logs
3
HIPAA-regulated healthcare data in Cassandra with access auditing
4
DevOps teams managing Cassandra on AWS Keyspaces and DataStax Astra
5
Contractor access with time-limited, MFA-protected sessions
6
Multi-data-center access governance
7
IoT data platforms with regulatory requirements
8
Financial transaction databases with audit trail requirements
Frequently Asked Questions

SSO for Apache Cassandra FAQ

Common questions about Database SSO and query-level auditing.

Does OnePAM work with DataStax Astra and AWS Keyspaces?

Yes. OnePAM's proxy works with Apache Cassandra, DataStax Enterprise, DataStax Astra, and AWS Keyspaces.

Do I need to change Cassandra configuration?

No. OnePAM's proxy handles authentication externally. Cassandra configuration and roles remain unchanged.

Does OnePAM support Cassandra's lightweight transactions?

Yes. OnePAM proxies CQL natively. All Cassandra features including LWTs work normally through the proxy.

Can I control access per keyspace?

Yes. OnePAM policies can restrict which keyspaces and tables each user can access based on IdP groups.

Does OnePAM add latency to Cassandra queries?

OnePAM adds sub-millisecond latency per query. For Cassandra's typical workloads, this overhead is negligible.
Also Available

Database SSO for Other Databases

OnePAM adds identity-based access to any database — same approach, same security.

SSO for PostgreSQL
Relational Database
SSO for MySQL / MariaDB
Relational Database
SSO for MongoDB
Document Database
SSO for Microsoft SQL Server
Relational Database
SSO for Oracle Database
Relational Database
SSO for Elasticsearch
Search & Analytics Engine

Add SSO to Cassandra Access

Deploy OnePAM database proxy in minutes. No Cassandra configuration changes required.

Get Started All Database SSO Guides