Skip to main content

Authenticating Dataedo Portal with Google Workspace

This guide will show you how to set up Dataedo to work with a SAML identity provider. In this example, we'll use Google Workspace as the Identity Provider (IdP), but the steps are similar for other providers.

Initial Configuration in Google Admin Portal

  1. Open the Google Admin Portal.

    • Navigate to Apps > Web and mobile apps.
    • Click Add app > Add custom SAML app.
    Google Admin Portal
  2. In the new tab, type a name for the application (for example, "Dataedo Portal") and click Continue.

    Custom SAML App Name
  3. On the next page, click DOWNLOAD METADATA to save the metadata file for later use, then click Continue.

    Download Metadata
  4. Configure the following fields:

    • ACS URL: Enter the Dataedo Portal URL followed by /api/api/auth/assertion-consumer (e.g., https://your-dataedo-web.address/api/api/auth/assertion-consumer).
    • Entity ID: Choose a unique identifier without spaces or special characters (e.g., DataedoPortal). Save this value for later use.
    Configure ACS URL and Entity ID
  5. Leave the last page fields empty and click Finish.

  6. Assign access:

    • Go to User access.
    • Assign the users or groups allowed to log in to Dataedo Portal using Google SAML.
    Assign User Access

Configuring Group Attribute Mapping in Google Workspace (Optional)

  1. In the Google Admin Console, open the app and go to SAML attribute mapping.
SAML attribute mapping
  1. Under Group membership, set:
  • Google Groups: Select the groups to include in the SAML response
    Note: Group membership is only sent if the user belongs to at least one selected group.
  • App attribute: Enter "Group"
Group membership settings
  1. Click Save.

  2. In the Admin Console menu, go to Directory > Groups.

  3. Verify that users are correctly assigned to the groups linked to the app.

Google group membership

Configuring SAML in Dataedo Portal UI (version 25.2+)

Starting with version 25.2, you can configure SAML identity providers directly in the Portal interface. You no longer need to edit appsettings.json. All settings are now stored in the database and are preserved during upgrades.

Step 1 – Open Login Options in System Settings

  1. In the Portal, go to Settings > System Settings > Login options.
  2. Expand the SSO Service (SAML) section.
  3. Toggle Enable login method to activate SAML login. The toggle appears blue when active.
Enable login method toggle

Step 2 – Add or Edit a SAML Identity Provider

  1. Under Configured SAML providers, you will see a list of existing providers (if any).
  2. To add a new one, click Add SAML.
Add SAML button
  1. Fill in the fields with values from your identity provider (for example, Azure AD):
    • Display name – for example, Azure_AD.
    • IdP Metadata – metadata URL or file path.
    • Issuer – from your provider's SAML configuration.
    • Signature algorithm – for example, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.
    • Certificate validation mode – for example, ChainTrust.
SAML configuration form
  1. Click Save to store your provider configuration.

Step 3 – Test the Login Option

Once configured, the login screen will display an option to log in via the added SAML provider.

Clicking this will redirect the user to the identity provider login page. Upon successful authentication, users are redirected back to the Portal.

Synchronizing User Groups via SAML

Dataedo Portal can automatically assign users to groups based on their group membership in the identity provider (such as Azure AD). This simplifies access management since group membership is maintained externally, and roles are assigned dynamically during login.

Step 1 – Configure Group Claims in Azure AD

To pass group information through SAML:

  1. In Azure Portal, open your application and go to Single sign-on > Attributes & Claims.
  2. Click Edit, then Add a group claim.
  3. Configure it to:
    • Use Name as the format.
    • Filter by assigned groups (or all groups, if preferred).
    • Set the claim name to "Group".

Make sure users are assigned to groups in Azure AD that reflect their roles in Dataedo Portal.

Step 2 – Enable Group Synchronization in the Portal

  1. Go to User Management > Groups and either create a new group or open an existing one.
  2. In the Settings tab:
    • Optionally enable Automatically assign group to each new user.
    • Enable Synchronize with SAML.
    • Select the correct SAML provider.
    • Enter the group name from your identity provider that should map to this Portal group.
Group mapping with SAML

Step 3 – Assign Roles to the Group

  1. Go to the Permissions tab of the group.
  2. Click Add Role, and:
    • Select the scope (e.g., a specific repository or domain).
    • Choose the appropriate role (e.g., Viewer, Admin).
  3. Save your changes.
Assign role to synchronized group

Once this is set up, group membership changes in Azure AD will automatically apply the correct roles the next time a user logs in.

Configuring SAML in Dataedo Portal (Docker)

Update .env

  1. Open the .env file located alongside the docker-compose.yml file.

  2. Update the Single Sign-On section:

    Single sign-on configuration in docker-compose.yml
    # This sample contains inline comments for explanation purposes.
    # Remove all comments (#) before using this configuration in your environment.

    # Enter the path for the metadata XML file saved on your machine.
    DATAEDO_SSO_IDP_METADATA="/opt/dataedo/idpmetadata/GoogleIDPMetadata.xml"

    # Paste the Entity ID field from Google Admin Portal.
    # This value can be found in Service provider details > Entity ID.
    DATAEDO_SSO_ISSUER="GoogleSAMLDataedo"

    # Specify the signature algorithm. Default is RSA_SHA256.
    # For RSA_SHA1, use http://www.w3.org/2001/04/xmldsig-more#rsa-sha1.
    DATAEDO_SSO_SIGNATURE_ALGORITHM=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

    # Certificate validation mode. Default is ChainTrust.
    DATAEDO_SSO_CERTIFICATE_VALIDATION_MODE=ChainTrust

    # Revocation mode. Default is NoCheck.
    DATAEDO_SSO_REVOCATION_MODE=NoCheck

    # Enter the display name shown when logging in.
    # This value cannot contain spaces. Use underscores (_) instead if needed.
    DATAEDO_SSO_DISPLAY_NAME="GoogleSAML"

    # Ensure this URL points to your Dataedo Portal application address.
    DATAEDO_SSO_CLIENT_URL="https://yourwebsite.com/"
  3. Restart the Docker container:

    docker-compose up -d
  4. If you open Dataedo Portal, you'll see the option to login with Google:

    Google Login Option

Clicking it will take you to the Google login page or directly to your Dataedo Portal page if you're already logged in.

Need help?

If you run into any problems or have questions, reach out to Dataedo support.

Dataedo is an end-to-end data governance solution for mid-sized organizations.
Data Lineage • Data Quality • Data Catalog