Skip to main content

Authenticating Dataedo Portal with Google Workspace

This guide will show you how to set up Dataedo to work with a SAML identity provider. In this example, we'll use Google Workspace as the Identity Provider (IdP), but the steps are similar for other providers.

Initial Configuration in Google Admin Portal

  1. Open the Google Admin Portal.

    • Navigate to Apps > Web and mobile apps.
    • Click Add app > Add custom SAML app.
    Google Admin Portal

  2. In the new tab, type a name for the application (for example, "Dataedo Portal") and click Continue.

    Custom SAML App Name

  3. On the next page, click DOWNLOAD METADATA to save the metadata file for later use, then click Continue.

    Download Metadata

  4. Configure the following fields:

    • ACS URL: Enter the Dataedo Portal URL followed by /api/api/auth/assertion-consumer (e.g., https://your-dataedo-web.address/api/api/auth/assertion-consumer).
    • Entity ID: Choose a unique identifier without spaces or special characters (e.g., DataedoPortal). Save this value for later use.
    Configure ACS URL and Entity ID

  5. Leave the last page fields empty and click Finish.

  6. Assign access:

    • Go to User access.
    • Assign the users or groups allowed to log in to Dataedo Portal using Google SAML.
    Assign User Access

Configuring Group Attribute Mapping in Google Workspace (Optional)

  1. In the Google Admin Console, open the app and go to SAML attribute mapping.
SAML attribute mapping
  1. Under Group membership, set:
  • Google Groups: Select the groups to include in the SAML response
    Note: Group membership is only sent if the user belongs to at least one selected group.
  • App attribute: Enter "Group"
Group membership settings

  1. Click Save.

  2. In the Admin Console menu, go to Directory > Groups.

  3. Verify that users are correctly assigned to the groups linked to the app.

Google group membership

Configuring SAML in Dataedo Portal UI (version 25.2+)

Starting with version 25.2, you can configure SAML identity providers directly in the Portal interface. You no longer need to edit appsettings.json. All settings are now stored in the database and are preserved during upgrades.

Step 1 – Open Login Options in System Settings

  1. In the Portal, go to Settings > System Settings > Login options.
  2. Expand the SSO Service (SAML) section.
  3. Toggle Enable login method to activate SAML login. The toggle appears blue when active.
Enable login method toggle

Step 2 – Add or Edit a SAML Identity Provider

  1. Under Configured SAML providers, you will see a list of existing providers (if any).
  2. To add a new one, click Add SAML.
Add SAML button
  1. Fill in the fields with values from your identity provider (for example, Entra ID):
    • Display name – for example, Azure_AD.
    • IdP Metadata – metadata URL or file path.
    • Issuer – from your provider's SAML configuration.
    • Signature algorithm – for example, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.
    • Certificate validation mode – for example, ChainTrust.
SAML configuration form
  1. Click Save to store your provider configuration.

Step 3 – Test the Login Option

Once configured, the login screen will display an option to log in via the added SAML provider.

Clicking this will redirect the user to the identity provider login page. Upon successful authentication, users are redirected back to the Portal.

Synchronizing User Groups via SAML

Dataedo Portal can automatically assign users to groups based on their group membership in the identity provider (such as Entra ID). This simplifies access management since group membership is maintained externally, and roles are assigned dynamically during login.

Step 1 – Configure Group Claims in Entra ID (Azure AD)

To pass group information through SAML:

  1. In Azure Portal, open your application and go to Single sign-on > Attributes & Claims.
  2. Click Edit, then Add a group claim.
  3. Configure it to:
    • Use Name as the format.
    • Filter by assigned groups (or all groups, if preferred).
    • Set the claim name to "Group".

Make sure users are assigned to groups in Entra ID (Azure AD) that reflect their roles in Dataedo Portal.

Step 2 – Enable Group Synchronization in Portal

warning

The Synchronize with SAML and Automatically assign group to each new user options cannot be simultaneously applied to the same user group. These two options directly contradict each other.

  1. Navigate to User Management>Groups and either create a new group or open an existing one.
  2. In the Settings tab:
    • Enable Synchronize with SAML [1]
    • Select the correct SAML provider from a drop down [2]
    • Enter the group name from your identity provider that should map to this Portal group [3]
Group mapping with SAML

Step 3 – Assign Roles to the Group

Open the group's Permissions tab and click Add Role

Assign role to synchronized group

A popup will appear. You have to provide:

  • The scope [1] — the scope defines where the role permissions will apply. Should this User Group have editor privileges in the entire repository or just select Domains or Data Sources?
  • The role [2] — the type of role you want to give to this user group. Each role comes with different permissions.

After you define the role and its scope, save it using the Add [3] button.

Assign role to synchronized group

Once this is set up, group membership changes in Entra ID (Azure ID) will automatically apply the correct roles the next time a user logs in.

Configuring SAML in Dataedo Portal (Docker)

Update .env

  1. Open the .env file located alongside the docker-compose.yml file.

  2. Update the Single Sign-On section:

    Single sign-on configuration in docker-compose.yml
    # This sample contains inline comments for explanation purposes.
    # Remove all comments (#) before using this configuration in your environment.

    # Enter the path for the metadata XML file saved on your machine.
    DATAEDO_SSO_IDP_METADATA="/opt/dataedo/idpmetadata/GoogleIDPMetadata.xml"

    # Paste the Entity ID field from Google Admin Portal.
    # This value can be found in Service provider details > Entity ID.
    DATAEDO_SSO_ISSUER="GoogleSAMLDataedo"

    # Specify the signature algorithm. Default is RSA_SHA256.
    # For RSA_SHA1, use http://www.w3.org/2001/04/xmldsig-more#rsa-sha1.
    DATAEDO_SSO_SIGNATURE_ALGORITHM=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

    # Certificate validation mode. Default is ChainTrust.
    DATAEDO_SSO_CERTIFICATE_VALIDATION_MODE=ChainTrust

    # Revocation mode. Default is NoCheck.
    DATAEDO_SSO_REVOCATION_MODE=NoCheck

    # Enter the display name shown when logging in.
    # This value cannot contain spaces. Use underscores (_) instead if needed.
    DATAEDO_SSO_DISPLAY_NAME="GoogleSAML"

    # Ensure this URL points to your Dataedo Portal application address.
    DATAEDO_SSO_CLIENT_URL="https://yourwebsite.com/"

  3. Restart the Docker container:

    docker-compose up -d

  4. If you open Dataedo Portal, you'll see the option to login with Google:

    Google Login Option

Clicking it will take you to the Google login page or directly to your Dataedo Portal page if you're already logged in.

Need help?

If you run into any problems or have questions, reach out to Dataedo support.

On this page
Questions?
If you have any questions or need assistance, feel free to reach out to the Dataedo support team.
Dataedo support
Dataedo is an end-to-end data governance solution for mid-sized organizations.
Data Lineage • Data Quality • Data Catalog
Release notesArchiveRoadmapSupport
LinkedInYouTube