Skip to main content

Okta with SAML

This guide provides step-by-step instructions for configuring Dataedo to integrate with Okta as your identity provider, ensuring secure and efficient user authentication. Similar instruction may apply to other

Initial configuration in Okta

  1. Login to Okta, then find the Applications > Applications tab:

  2. Click the Create App Integration button, and select SAML 2.0, then click Next.

  3. Choose an App name and logo, then click Next.

  4. In the next screen, type in the address your Dataedo Portal will be accessed on followed by /api/api/auth/assertion-consumer (for example http://your-Dataedo-Web.address/api/api/auth/assertion-consumer).

  5. Type in a uniquely identifying name of your choice in the Audience URI field. Note this name – you will need it for the issuer field in Dataedo settings.

  6. Click Next, then fill the Feedback form or continue by pressing Finish.

  7. You'll see the Sign On settings screen looking like this:

  8. Now you need to pass configuration info from Okta to Dataedo Portal. The easiest way is to copy the link to dynamic configuration. To do this, right-click the Identity Provider metadata link and choose the Copy link address option. You will need this link later.

important

Make sure to assign users allowed access in the Assignments tab.

Configuring group claims in Okta (optional)

You can pass Okta group memberships to Dataedo Portal through a SAML attribute named "Group". This allows assigning roles based on group claims.

  1. From your Okta application settings, click Edit in the SAML Settings section and proceed to the Configure SAML step.

  2. Scroll to the Group Attribute Statements (Optional) section and click Add Group Attribute Statement.

  3. Configure the group attribute:

    • Name: "Group"
    • Name format: Unspecified
    • Filter: e.g., Starts withDataedo to include only relevant groups
    Group attribute statement
    Group filter setup
    SAML integration settings
  4. Click Next and finish saving changes.

  5. Go to the Assignments tab to assign groups and verify user membership:

    Okta group assignments
    Assigned users and groups

Configuring SAML in Dataedo Portal UI (version 25.2+)

Starting with version 25.2, you can configure SAML identity providers directly in the Portal interface. You no longer need to edit appsettings.json. All settings are now stored in the database and are preserved during upgrades.

Step 1 – Open Login Options in System Settings

  1. In the Portal, go to Settings > System Settings > Login options.
  2. Expand the SSO Service (SAML) section.
  3. Toggle Enable login method to activate SAML login. The toggle appears blue when active.
Enable login method toggle

Step 2 – Add or Edit a SAML Identity Provider

  1. Under Configured SAML providers, you will see a list of existing providers (if any).
  2. To add a new one, click Add SAML.
Add SAML button
  1. Fill in the fields with values from your identity provider (for example, Azure AD):
    • Display name – for example, Azure_AD.
    • IdP Metadata – metadata URL or file path.
    • Issuer – from your provider's SAML configuration.
    • Signature algorithm – for example, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.
    • Certificate validation mode – for example, ChainTrust.
SAML configuration form
  1. Click Save to store your provider configuration.

Step 3 – Test the Login Option

Once configured, the login screen will display an option to log in via the added SAML provider.

Clicking this will redirect the user to the identity provider login page. Upon successful authentication, users are redirected back to the Portal.

Synchronizing User Groups via SAML

Dataedo Portal can automatically assign users to groups based on their group membership in the identity provider (such as Azure AD). This simplifies access management since group membership is maintained externally, and roles are assigned dynamically during login.

Step 1 – Configure Group Claims in Azure AD

To pass group information through SAML:

  1. In Azure Portal, open your application and go to Single sign-on > Attributes & Claims.
  2. Click Edit, then Add a group claim.
  3. Configure it to:
    • Use Name as the format.
    • Filter by assigned groups (or all groups, if preferred).
    • Set the claim name to "Group".

Make sure users are assigned to groups in Azure AD that reflect their roles in Dataedo Portal.

Step 2 – Enable Group Synchronization in the Portal

  1. Go to User Management > Groups and either create a new group or open an existing one.
  2. In the Settings tab:
    • Optionally enable Automatically assign group to each new user.
    • Enable Synchronize with SAML.
    • Select the correct SAML provider.
    • Enter the group name from your identity provider that should map to this Portal group.
Group mapping with SAML

Step 3 – Assign Roles to the Group

  1. Go to the Permissions tab of the group.
  2. Click Add Role, and:
    • Select the scope (e.g., a specific repository or domain).
    • Choose the appropriate role (e.g., Viewer, Admin).
  3. Save your changes.
Assign role to synchronized group

Once this is set up, group membership changes in Azure AD will automatically apply the correct roles the next time a user logs in.

Configuring SAML in Dataedo Portal Docker image

Follow this section for Portal running from a Docker image.

  1. Open .env file that should be located in same folder as docker-compose.yml file, find the Single Sign On section and fill in as follows:

    # Single sign-on configuration
    # Paste the Identity Provider metadata URL here, or the path to the metadata XML file.
    DATAEDO_SSO_IDP_METADATA="https://dev-09528757.okta.com/app/exk1cy8saliBpdSUh5d7/sso/saml/metadata"
    # Paste the Audience URI from Okta's SAML settings > Audience Restriction field here.
    DATAEDO_SSO_ISSUER="unique_identifier"
    # Set the signature algorithm. Default is RSA_SHA256.
    # If you use RSA_SHA1, set this value to http://www.w3.org/2001/04/xmldsig-more#rsa-sha1
    DATAEDO_SSO_SIGNATURE_ALGORITHM=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
    # Certificate validation mode. Default is ChainTrust.
    DATAEDO_SSO_CERTIFICATE_VALIDATION_MODE=ChainTrust
    # Revocation mode. Default is NoCheck.
    DATAEDO_SSO_REVOCATION_MODE=NoCheck
    # Fill in the display name for the Identity Provider.
    # Display name cannot contain spaces, use underscores (_) instead.
    DATAEDO_SSO_DISPLAY_NAME="Okta_SAML"
    # Ensure this URL points to your Dataedo Portal application address.
    DATAEDO_SSO_CLIENT_URL="https://yourwebiste.com/"
  2. Update your Docker Compose with:

        docker-compose up -d
  3. If you open Dataedo Portal, you'll see the option to login with Okta:

Clicking it will either take you to the Okta login page or if you’re already logged in, directly to your Dataedo Portal page.

Need help?

If you run into any problems or have questions, reach out to Dataedo support.

Dataedo is an end-to-end data governance solution for mid-sized organizations.
Data Lineage • Data Quality • Data Catalog