Authenticating Dataedo Portal with Azure AD

This guide will walk you through the process of configuring Dataedo to integrate with Azure AD as the Identity Provider.

Initial configuration in Azure Portal part 1

1. Open Azure Portal and go to Enterprise Applications. Choose the New application option:

   

2. In the next tab, choose the Create your own application option:

   

3. In the new tab, type in the application name for your internal use (for example, "Dataedo Portal") and click Create.

   

4. You'll see a new application screen. In the Getting started section, choose Assign users and groups.

   

5. Use the Add user/group option to add a user.

   

Configuring group claims in Azure AD (optional)

The steps in this section are optional. Decide whether you want to take them, and then continue with the next section to finish your configuration.

You can include user group information in the SAML response to assign roles in Dataedo Portal based on group membership.

1. In your application, go to Single sign-on > Attributes & Claims, then click Edit.

2. Select Add a group claim.

3. Configure the group claim:

   • In the Name field, type "Group"
   • Under Which groups associated with the user?, choose either:
     • All groups (includes all group memberships)
     • Or filter by Groups assigned to the application
   • Under ID format, select Name for human-readable names (recommended)
   • Optionally, include groups assigned through security groups or directory roles
   
   
   

4. Save your changes and verify that groups are correctly assigned under Users and groups.

Initial configuration in Azure Portal part 2

1. In the menu to the left, choose Single Sign-on, then from the options to the right, choose SAML.

   

2. Click Edit in the Basic SAML Configuration section.

   

3. A new tab will open:

   

4. In the Identifier field, paste the address Dataedo Portal will be accessed with from your organization. Note that only HTTPS addresses are allowed.

   

5. In the Reply URL section, type in the address your Dataedo Portal will be accessed on followed by /api/api/auth/assertion-consumer (for example https://your-Dataedo-Web.address/api/api/auth/assertion-consumer).

   

6. Click Save. The tab will now look like this:

   

7. Back in the Set up Single Sign-On with SAML tab on the left, find the SAML Signing Certificate section.

   

8. Copy the address marked as App Federation Metadata Url - you will need it later.

Configuring SAML in Dataedo Portal UI (version 25.2+)

Starting with version 25.2, you can configure SAML identity providers directly in the Portal interface. You no longer need to edit appsettings.json. All settings are now stored in the database and are preserved during upgrades.

Step 1 – Open Login Options in System Settings

1. In the Portal, go to Settings > System Settings > Login options.
2. Expand the SSO Service (SAML) section.
3. Toggle Enable login method to activate SAML login. The toggle appears blue when active.

Step 2 – Add or Edit a SAML Identity Provider

1. Under Configured SAML providers, you will see a list of existing providers (if any).
2. To add a new one, click Add SAML.

3. Fill in the fields with values from your identity provider (for example, Azure AD):
   • Display name – for example, Azure_AD.
   • IdP Metadata – metadata URL or file path.
   • Issuer – from your provider's SAML configuration.
   • Signature algorithm – for example, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.
   • Certificate validation mode – for example, ChainTrust.

4. Click Save to store your provider configuration.

Step 3 – Test the Login Option

Once configured, the login screen will display an option to log in via the added SAML provider.

Clicking this will redirect the user to the identity provider login page. Upon successful authentication, users are redirected back to the Portal.

Synchronizing User Groups via SAML

Dataedo Portal can automatically assign users to groups based on their group membership in the identity provider (such as Azure AD). This simplifies access management since group membership is maintained externally, and roles are assigned dynamically during login.

Step 1 – Configure Group Claims in Azure AD

To pass group information through SAML:

1. In Azure Portal, open your application and go to Single sign-on > Attributes & Claims.
2. Click Edit, then Add a group claim.
3. Configure it to:
   • Use Name as the format.
   • Filter by assigned groups (or all groups, if preferred).
   • Set the claim name to "Group".

Make sure users are assigned to groups in Azure AD that reflect their roles in Dataedo Portal.

Step 2 – Enable Group Synchronization in the Portal

1. Go to User Management > Groups and either create a new group or open an existing one.
2. In the Settings tab:
   • Optionally enable Automatically assign group to each new user.
   • Enable Synchronize with SAML.
   • Select the correct SAML provider.
   • Enter the group name from your identity provider that should map to this Portal group.

Step 3 – Assign Roles to the Group

1. Go to the Permissions tab of the group.
2. Click Add Role, and:
   • Select the scope (e.g., a specific repository or domain).
   • Choose the appropriate role (e.g., Viewer, Admin).
3. Save your changes.

Once this is set up, group membership changes in Azure AD will automatically apply the correct roles the next time a user logs in.

Configuring SAML in Dataedo Portal Docker image

Follow this section for Portal running from a Docker image.

1. Open the .env file that should be located in the same folder as the docker-compose.yml file, find the Single Sign-On section:

   Single sign-on configuration in docker-compose.yml

   # This sample contains inline comments for explanation purposes.
   # Remove all comments (#) before using this configuration in your environment.
   
   # Paste the App Federation Metadata URL here, or the path to the metadata XML file.
   DATAEDO_SSO_IDP_METADATA="https://login.microsoftonline.com/b411bcba-01b1-4de5-9fa1-45272da91a0c/federationmetadata/2007-06/federationmetadata.xml?appid=db0e60a2-0f7b-4a61-939a-56fbae2d8b8c"
   # Paste the Identifier from Azure's Basic SAML Configuration > Identifier field here.
   DATAEDO_SSO_ISSUER="https://yourwebsite.com/"
   # Set the signature algorithm. Default is RSA_SHA256.
   # For example, for RSA_SHA1 use: http://www.w3.org/2001/04/xmldsig-more#rsa-sha1
   DATAEDO_SSO_SIGNATURE_ALGORITHM=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
   # Certificate validation mode. Default is ChainTrust.
   DATAEDO_SSO_CERTIFICATE_VALIDATION_MODE=ChainTrust
   # Revocation mode. Default is NoCheck.
   DATAEDO_SSO_REVOCATION_MODE=NoCheck
   # Fill in the display name for the Identity Provider.
   # Use underscores (_) instead of spaces (e.g., My_Identity_Provider).
   DATAEDO_SSO_DISPLAY_NAME="My_identity_provider"
   # Make sure this URL points to your Dataedo Portal application address.
   DATAEDO_SSO_CLIENT_URL="https://yourwebsite.com/"
   

2. Update your Docker Compose with the following command:

   docker-compose up -d

3. If you open Dataedo Portal, you'll see option to log in with Azure AD:

   

4. Clicking it will either take you to the Azure login page or, if you're already logged in, directly to your Dataedo Portal page.

Need help?

If you run into any problems or have questions, reach out to Dataedo support.