Skip to main content

Configuring Dataedo with Duo

This guide walks you through setting up Dataedo to work with a SAML identity provider. We'll use Duo as an example, but the steps are similar for other providers.

Initial configuration in Duo Admin Portal

caution

Before proceeding, ensure your organization has Duo Single Sign-On (SSO) configured. For setup instructions, see the documentation: How to Use Duo Single Sign-On (SSO).

  1. Open the Duo Admin Portal.

  2. Select Applications and click Protect an Application.

  3. In the filter box, type "Generic SAML" and click Protect next to Generic SAML Service Provider.

  4. The Configuration page will appear. Under Basic Configuration, enter your Application name and choose the User Access settings according to your organization's security policy.

  5. Proceed to the Metadata section. Copy the Metadata URL. You'll use this later.

  6. Continue to the Service Provider section.

    • In the Metadata Discovery field select None (manual input).

    • In the Entity ID field, enter a unique identifier (e.g., the address of your Dataedo Portal). You'll use this value later.

    • In the Assertion Consumer Service (ACS) URL field, enter the Dataedo Portal URL followed by /api/api/auth/assertion-consumer.
      Example: https://your-dataedo-web.address/api/api/auth/assertion-consumer.

  7. Click Save to apply your settings.

Configuring group roles in Duo (optional)

You can include group information in the SAML assertion by using role attributes. This allows you to map Duo groups to specific roles in Dataedo.

  1. Scroll to the SAML Response section of your Duo application settings and expand the Role attributes panel.

  2. Fill in the fields:

    • Attribute name: "Group"
    • Service Provider Role: type the role you want to assign (e.g., Editor)
    • Duo Groups: select the group whose members should receive that role
    Role attribute configuration
    Group selection
    Group role mapping saved

  3. Make sure the appropriate users are members of the selected Duo group:

    • Navigate to Users > Groups
    • Confirm correct membership for each user

Configuring SAML in Dataedo Portal UI (version 25.2+)

Starting with version 25.2, you can configure SAML identity providers directly in the Portal interface. You no longer need to edit appsettings.json. All settings are now stored in the database and are preserved during upgrades.

Step 1 – Open Login Options in System Settings

  1. In the Portal, go to Settings > System Settings > Login options.
  2. Expand the SSO Service (SAML) section.
  3. Toggle Enable login method to activate SAML login. The toggle appears blue when active.
Enable login method toggle

Step 2 – Add or Edit a SAML Identity Provider

  1. Under Configured SAML providers, you will see a list of existing providers (if any).
  2. To add a new one, click Add SAML.
Add SAML button
  1. Fill in the fields with values from your identity provider (for example, Azure AD):
    • Display name – for example, Azure_AD.
    • IdP Metadata – metadata URL or file path.
    • Issuer – from your provider's SAML configuration.
    • Signature algorithm – for example, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.
    • Certificate validation mode – for example, ChainTrust.
SAML configuration form
  1. Click Save to store your provider configuration.

Step 3 – Test the Login Option

Once configured, the login screen will display an option to log in via the added SAML provider.

Clicking this will redirect the user to the identity provider login page. Upon successful authentication, users are redirected back to the Portal.

Synchronizing User Groups via SAML

Dataedo Portal can automatically assign users to groups based on their group membership in the identity provider (such as Azure AD). This simplifies access management since group membership is maintained externally, and roles are assigned dynamically during login.

Step 1 – Configure Group Claims in Azure AD

To pass group information through SAML:

  1. In Azure Portal, open your application and go to Single sign-on > Attributes & Claims.
  2. Click Edit, then Add a group claim.
  3. Configure it to:
    • Use Name as the format.
    • Filter by assigned groups (or all groups, if preferred).
    • Set the claim name to "Group".

Make sure users are assigned to groups in Azure AD that reflect their roles in Dataedo Portal.

Step 2 – Enable Group Synchronization in the Portal

  1. Go to User Management > Groups and either create a new group or open an existing one.
  2. In the Settings tab:
    • Optionally enable Automatically assign group to each new user.
    • Enable Synchronize with SAML.
    • Select the correct SAML provider.
    • Enter the group name from your identity provider that should map to this Portal group.
Group mapping with SAML

Step 3 – Assign Roles to the Group

  1. Go to the Permissions tab of the group.
  2. Click Add Role, and:
    • Select the scope (e.g., a specific repository or domain).
    • Choose the appropriate role (e.g., Viewer, Admin).
  3. Save your changes.
Assign role to synchronized group

Once this is set up, group membership changes in Azure AD will automatically apply the correct roles the next time a user logs in.

Configuring SAML in Dataedo Portal Docker image

  1. Open the .env file (located in the same folder as docker-compose.yml) and find the Single Sign-On section:

    # Single Sign On Configuration
    # Add the following settings to your environment file.

    # Paste the Metadata URL copied from Duo Admin Portal or the file path to the metadata XML.
    # Example: https://sso-a06d2d5e.sso.duosecurity.com/saml2/sp/DI7SDPCIHNSN9MOYP7QK/metadata
    DATAEDO_SSO_IDP_METADATA="https://sso-a06d2d5e.sso.duosecurity.com/saml2/sp/DI7SDPCIHNSN9MOYP7QK/metadata"

    # Enter the Entity ID configured in Duo Admin Portal.
    # Example: Dataedo_PT_VM
    DATAEDO_SSO_ISSUER="Dataedo_PT_VM"

    # Default: RSA_SHA256. Change if using another signature algorithm.
    # For RSA_SHA1, use http://www.w3.org/2001/04/xmldsig-more#rsa-sha1
    DATAEDO_SSO_SIGNATURE_ALGORITHM=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

    # Certificate validation mode. Default is ChainTrust.
    DATAEDO_SSO_CERTIFICATE_VALIDATION_MODE=ChainTrust

    # Revocation mode. Default is NoCheck.
    DATAEDO_SSO_REVOCATION_MODE=NoCheck

    # Enter the display name shown during login.
    # Example: Duo_Security (no blank spaces, use underscores if needed)
    DATAEDO_SSO_DISPLAY_NAME="Duo_Security"

    # Enter your Dataedo Web address.
    # Example: https://yourwebsite.com/
    DATAEDO_SSO_CLIENT_URL="https://yourwebsite.com/"

  2. Save the .env file and restart the Docker containers by running the following command:

    docker-compose down && docker-compose up -d

Testing the SAML integration

  1. Open the Dataedo Portal login page in your browser.
  2. You'll see the option to log in with your configured SAML provider (Duo Security).
  3. Log in using a user account managed by your Duo configuration.
  4. Verify successful login and access to the Dataedo Portal.

With these steps, you've successfully configured Duo as a SAML Identity Provider for Dataedo!

Need help?

If you run into any problems or have questions, reach out to Dataedo support.

On this page
Questions?
If you have any questions or need assistance, feel free to reach out to the Dataedo support team.
Dataedo support
Dataedo is an end-to-end data governance solution for mid-sized organizations.
Data Lineage • Data Quality • Data Catalog
Release notesArchiveRoadmapSupport
LinkedInYouTube