Set up SSO with SAML 2.0
This guide describes a feature of the dbt Cloud Enterprise plan. If you’re interested in learning more about an Enterprise plan, contact us at sales@getdbt.com.
These SSO configuration documents apply to multi-tenant Enterprise deployments only.
dbt Cloud Enterprise supports single-sign on (SSO) for any SAML 2.0-compliant identity provider (IdP). Currently supported features include:
- IdP-initiated SSO
- SP-initiated SSO
- Just-in-time provisioning
This document details the steps to integrate dbt Cloud with an identity provider in order to configure Single Sign On and role-based access control.
Auth0 URIs
The URI used for SSO connections on multi-tenant dbt Cloud instances will vary based on your dbt Cloud hosted region. To find the URIs for your environment in dbt Cloud:
- Navigate to your Account settings and click Single sign-on on the left menu.
- Click Edit in the Single sign-on pane.
- Select the appropriate Identity provider from the dropdown and the Login slug and Identity provider values will populate for that provider.
Generic SAML 2.0 integrations
If your SAML identity provider is one of Okta, Google, Azure or OneLogin, navigate to the relevant section further down this page. For all other SAML compliant identity providers, you can use the instructions in this section to configure that identity provider.
Configure your identity provider
You'll need administrator access to your SAML 2.0 compliant identity provider to configure the identity provider. You can use the following instructions with any SAML 2.0 compliant identity provider.
Creating the application
- Log into your SAML 2.0 identity provider and create a new application.
- When promoted, configure the application with the following details:
- Platform: Web
- Sign on method: SAML 2.0
- App name: dbt Cloud
- App logo (optional): You can optionally download the dbt logo, and use as the logo for this app.
Configuring the application
The following steps use YOUR_AUTH0_URI
and YOUR_AUTH0_ENTITYID
, which need to be replaced with the appropriate Auth0 SSO URI and Auth0 Entity ID for your region.
To complete this section, you will need to create a login slug. This slug controls the URL where users on your account can log into your application. Login slugs are typically the lowercased name of your organization. It should contain only letters, numbers, and dashes.
separated with dashes. For example, the login slug for dbt Labs would be dbt-labs
.
Login slugs must be unique across all dbt Cloud accounts, so pick a slug that uniquely identifies your company.
When prompted for the SAML 2.0 application configurations, supply the following values:
- Single sign on URL:
https://YOUR_AUTH0_URI/login/callback?connection=<login slug>
- Audience URI (SP Entity ID):
urn:auth0:<YOUR_AUTH0_ENTITYID>:{login slug}
- Relay State:
<login slug>
Additionally, you may configure the IdP attributes passed from your identity provider into dbt Cloud. We recommend using the following values:
name | name format | value | description |
---|---|---|---|
Unspecified | user.email | The user's email address | |
first_name | Unspecified | user.first_name | The user's first name |
last_name | Unspecified | user.last_name | The user's last name |
NameID | Unspecified | ID | The user's unchanging ID |
NameID
values can be persistent (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
) rather than unspecified if your IdP supports these values. Using an email address for NameID
will work, but dbt Cloud creates an entirely new user if that email address changes. Configuring a value that will not change, even if the user's email address does, is a best practice.
dbt Cloud's role-based access control relies
on group mappings from the IdP to assign dbt Cloud users to dbt Cloud groups. To
use role-based access control in dbt Cloud, also configure your identity
provider to provide group membership information in user attribute called
groups
:
name | name format | value | description |
---|---|---|---|
groups | Unspecified | <IdP-specific> | The groups a user belongs to in the IdP |
You may use a restricted group attribute statement to limit the groups set
to dbt Cloud for each authenticated user. For example, if all of your dbt Cloud groups start
with DBT_CLOUD_...
, you may optionally apply a filter like Starts With: DBT_CLOUD_
.
Collect integration secrets
After confirming your details, the IdP should show you the following values for the new SAML 2.0 integration. Keep these values somewhere safe, as you will need them to complete setup in dbt Cloud.
- Identity Provider Issuer
- Identity Provider SSO Url
- X.509 Certificate
Finish setup
After creating the application, follow the instructions in the dbt Cloud Setup section to complete the integration.
Okta integration
You can use the instructions in this section to configure Okta as your identity provider.
- Log into your Okta account. Using the Admin dashboard, create a new app.
-
Select the following configurations:
- Platform: Web
- Sign on method: SAML 2.0
-
Click Create to continue the setup process.
Configure the Okta application
The following steps use YOUR_AUTH0_URI
and YOUR_AUTH0_ENTITYID
, which need to be replaced with the appropriate Auth0 SSO URI and Auth0 Entity ID for your region.
To complete this section, you will need to create a login slug. This slug controls the URL where users on your account can log into your application. Login slugs are typically the lowercased name of your organization. It should contain only letters, numbers, and dashes.
separated with dashes. For example, the login slug for dbt Labs would be dbt-labs
.
Login slugs must be unique across all dbt Cloud accounts, so pick a slug that uniquely identifies your company.
-
On the General Settings page, enter the following details:
- App name: dbt Cloud
- App logo (optional): You can optionally download the dbt logo, and upload it to Okta to use as the logo for this app.
-
Click Next to continue.