Home / Database SSO / SSO for CockroachDB
Distributed SQL Database
PostgreSQL wire protocol (CockroachDB-compatible)
Query Audit

SAML/OIDC SSO for CockroachDB Access

Cockroach Labs

Add SAML/OIDC Single Sign-On to CockroachDB connections. Replace database credentials with identity-based access. Full SQL audit trail with individual accountability.

How It Works
Overview

Why CockroachDB Needs Identity-Based Access

CockroachDB is a distributed SQL database designed for cloud-native applications requiring global consistency, horizontal scaling, and automatic failover. CockroachDB deployments often span multiple regions and contain business-critical transactional data. OnePAM's database proxy adds SAML/OIDC authentication to CockroachDB using PostgreSQL wire protocol compatibility. Users authenticate via your corporate IdP, and OnePAM injects short-lived credentials for each session.

Database Security Risks

CockroachDB Access Security Risks

Without identity-based database access, these risks threaten your data every day.

Shared database credentials across teams and environments
No audit trail for individual query activity
Static passwords stored in config files and environment variables
Inability to revoke access instantly when team members leave
Default port 26257 exposed without identity verification
The Challenge

Database Security Challenges

These are the risks organizations face with traditional database authentication.

Shared Credentials Across Regions

CockroachDB clusters span multiple regions. Shared credentials replicate across the cluster, making credential management complex.

No Native SAML/OIDC

CockroachDB supports certificate and password auth but not SAML/OIDC for SQL connections.

Multi-Region Data Sensitivity

Global CockroachDB deployments contain data subject to different regional regulations (GDPR, CCPA, PIPL).

No Query-Level Identity

CockroachDB logs show the database user but not the human identity behind each connection.

Certificate Management Complexity

CockroachDB certificate-based auth requires PKI infrastructure that most teams struggle to maintain.

Cross-Region Compliance

Different compliance requirements in different regions demand fine-grained access controls.

Setup Guide

How OnePAM Adds SSO to CockroachDB

Step-by-step guide to deploying identity-based database access.

1

Connect via OnePAM Proxy

Point your SQL client to OnePAM's proxy. CockroachDB uses PostgreSQL wire protocol, so any PostgreSQL client works.

Connection changes from cockroachdb://user:pass@crdb-host:26257/mydb to cockroachdb://user@proxy-host:26257/mydb.
2

Authenticate via Corporate IdP

OnePAM redirects to your corporate IdP for SAML/OIDC authentication with MFA.

Users authenticate with their corporate credentials. No database-specific passwords needed.
3

Credential Injection from Vault

OnePAM retrieves CockroachDB credentials from its vault and establishes the session.

Credentials are scoped to the authenticated identity and can be rotated automatically.
4

Query Logging with Identity

Every SQL query logged with corporate identity, region, and session context.

Full audit trail showing which user queried which data in which region.
Key Benefits

Benefits of SSO for CockroachDB

What changes when you deploy identity-based database access.

Individual Accountability

Every SQL query tied to a corporate identity across all CockroachDB regions.

100% identity attribution

Zero Password Exposure

No database credentials shared with developers. Vault-injected at session time.

Zero credential exposure

Region-Aware Access Control

Different access policies for different CockroachDB regions based on regulatory requirements.

Regional access control

MFA on Every Connection

Enforce MFA for all CockroachDB connections regardless of region.

MFA enforced

Instant Deprovisioning

Disable a user and access stops across all CockroachDB regions immediately.

Instant revocation

Cross-Region Audit Trail

Unified audit trail across all CockroachDB regions for global compliance.

Global audit trail
SSO Features

Database SSO Features

Every feature needed for enterprise-grade database authentication.

SAML 2.0 and OIDC authentication
PostgreSQL wire protocol compatibility
Works with cockroach sql, psql, DBeaver, and any PostgreSQL client
Multi-region access policies
Role-based access via IdP groups
Short-lived database credentials
Read-only vs read-write policies
Schema and database-level access control
Time-limited sessions
Just-in-time privilege elevation
Security

Security Features

Enterprise-grade security controls for database access.

Credential vaulting with AES-256 encryption
Automatic credential rotation
Query-level audit logging
Data masking in logs
IP allowlist enforcement
TLS encryption for all connections
No direct port exposure
Session timeout enforcement
Anomalous query detection
SIEM integration
Real-World Scenarios

CockroachDB SSO Use Cases

Common scenarios where organizations deploy OnePAM Database SSO.

1
Engineering teams accessing multi-region CockroachDB with individual identity
2
SOC 2 compliance requiring identity-verified query logs
3
GDPR-regulated access to EU-region CockroachDB data
4
Contractor access with time-limited, MFA-protected sessions
5
DevOps teams managing CockroachDB Cloud and self-hosted clusters
6
Cross-region data access governance for global organizations
7
Database migration projects with temporary access provisioning
8
Multi-tenant applications with per-tenant access policies
Frequently Asked Questions

SSO for CockroachDB FAQ

Common questions about Database SSO and query-level auditing.

Does OnePAM work with CockroachDB Cloud?

Yes. OnePAM's proxy works with CockroachDB Dedicated, CockroachDB Serverless, and self-hosted CockroachDB clusters.

Does OnePAM use PostgreSQL protocol for CockroachDB?

Yes. CockroachDB uses PostgreSQL wire protocol. OnePAM's PostgreSQL proxy works natively with CockroachDB.

Can I enforce region-specific access policies?

Yes. OnePAM can route users to specific CockroachDB regions based on IdP groups and enforce different access policies per region.

Does OnePAM support CockroachDB's multi-region tables?

Yes. OnePAM provides identity-based access control at the connection level. CockroachDB's multi-region table features work normally through the proxy.

What about CockroachDB's built-in RBAC?

OnePAM complements CockroachDB's RBAC by adding SSO, MFA, and identity-verified audit trails. CockroachDB roles map to IdP groups via OnePAM.
Also Available

Database SSO for Other Databases

OnePAM adds identity-based access to any database — same approach, same security.

SSO for PostgreSQL
Relational Database
SSO for MySQL / MariaDB
Relational Database
SSO for MongoDB
Document Database
SSO for Microsoft SQL Server
Relational Database
SSO for Oracle Database
Relational Database
SSO for Elasticsearch
Search & Analytics Engine

Add SSO to CockroachDB Access

Deploy OnePAM database proxy in minutes. Works with CockroachDB's PostgreSQL-compatible protocol.

Get Started All Database SSO Guides