Single Sign-On
To set up Single Sign-On (SSO), contact your customer representative or reach out to the Support team.
Overview
DataOps.live supports SSO for the following connections:
- SAML 2.0
- OpenID Connect
- Okta
- Google Workspace
- Microsoft Azure AD
- Active Directory Federation Services (ADFS)
- Ping Federate
Each connection is associated with an email domain that your enterprise must have complete ownership of.
Supported flows
Signing on with SSO
Existing DataOps users are matched by email address when logging into DataOps.live using SSO. Their identities will be associated with this particular email address. Additionally, users will maintain the same permissions as they initially had. Group membership is managed locally within the data product platform.
Signing up with SSO
When a user signs in via SSO without an existing DataOps login, the platform will create a login for them, but it will not be associated with a group. They must talk to their DataOps admin to be linked to the correct groups.
Note that the user doesn't have a password set within DataOps.live with SSO enabled. Follow these steps to work with Git locally.
Signing out
When a user who has logged in via SSO logs out, they will be logged out of DataOps.live and then prompted to log out of their SSO provider as well.
Supported connections
SSO setup requires some coordination with DataOps.live. Below is the required information for each connection type.
SAML 2.0
If you are setting up an SSO connection with SAML 2.0 between now and our planned improved account security rollout, our Support team will work with you to set up two connections so that you can transition smoothly.
For more information, see Improved Account Security
Details you require:
| Item | Value | Description |
|---|---|---|
| Connection Name | To be agreed, usually your company name as a slug | |
| POST-back URL | https://auth.dataops.live/login/callback?connection=YOUR_CONNECTION_NAME | Also called Assertion Consumer Service URL |
| The Entity ID | urn:auth0:dataops:YOUR_CONNECTION_NAME | |
| Sign Request Certificate | Certificate so that the SAML IdP can validate the assertions' signature. | |
| DataOps Sign In Url | https://app.dataops.live/users/sign_in?feature_sso=true&org_id=YOUR_ORGANIZATION_ID | Your Single Sign-On URL (organization ID assigned by DataOps) |
Details we need:
| Item | Required | Example | Description |
|---|---|---|---|
| Email Domain | Yes | yourcompany.com | Your user email domain |
| Name | Yes | Your Company | Company Name |
| Slug | Yes | yourcompany | Company Name as a slug (alphanumeric characters only) |
| Logo Url | No | https://yourcompany.com/assets/logo.png | A URL to your logo to display on the login screen |
| Primary Color | No | #29B5E8 | A primary color for the login screen accents |
| Background Color | No | #F2F2F2 | A background color for the login screen background |
| Sign In URL | Yes | SAML single login URL | |
| X.509 Signing Certificate | Yes | Signing certificate (encoded in PEM or CER) you retrieved from the IdP earlier in this process. | |
| Sign Out URL | No | SAML single logout URL | |
| User ID Attribute | No | Attribute in the SAML token that will be mapped to the user_id property. | |
| Sign Request Enabled | No | Yes or No | When enabled, the SAML authentication request will be signed |
| Sign Request Algorithm | No | RSASHA256 or RSASHA1 | Algorithm user to sign the SAML assertions |
| Sign Request Digest Algorithm | No | SHA256 or SHA1 | Algorithm user for the sign request digest |
| Protocol Binding | No | HTTP-Redirect or HTTP-POST | HTTP binding supported by the IdP |
| Request Template | No | Template that formats the SAML request |
OpenID connect
Details you require:
| Item | Value | Description |
|---|---|---|
| Callback URL | https://auth.dataops.live/login/callback | OIDC Callback URL |
| DataOps Sign In Url | https://app.dataops.live/users/sign_in?feature_sso=true&org_id=YOUR_ORGANIZATION_ID | Your Single Sign-On URL (organization ID assigned by DataOps) |
Details we need:
| Item | Required | Example | Description |
|---|---|---|---|
| Email Domain | Yes | yourcompany.com | Your user email domain |
| Name | Yes | Your Company | Company Name |
| Slug | Yes | yourcompany | Company Name as a slug (alphanumeric characters only) |
| Issuer URL | Yes | URL where we can find the OpenID Provider Configuration Document, which should normally be available in the /.well-known/openid-configuration endpoint. You can enter the base URL or the full URL | |
| Client ID | Yes | Unique identifier for your registered application | |
| Logo Url | No | https://yourcompany.com/assets/logo.png | A URL to your logo to display on the login screen |
| Primary Color | No | #29B5E8 | A primary color for the login screen accents |
| Background Color | No | #F2F2F2 | A background color for the login screen background |
Okta
Okta is supported by the OpenID Connect enterprise connection above.
In the case of Okta, the Issuer URL should be either
https://<YOUR_OKTA_DOMAIN>/.well-known/openid-configuration or
https://<YOUR_OKTA_DOMAIN>/oauth2/<AUTH_SERVER_ID>/.well-known/.
The Client ID will be provided by Okta for your DataOps app when you create the connection.
Google workspace
Details you require:
| Item | Value | Description |
|---|---|---|
| Authorized JavaScript origins | https://auth.dataops.live/ | |
| Authorized redirect URIs | https://auth.dataops.live/login/callback | |
| DataOps Sign In Url | https://app.dataops.live/users/sign_in?feature_sso=true&org_id=YOUR_ORGANIZATION_ID | Your Single Sign-On URL (organization ID assigned by DataOps) |
Details we need:
| Item | Required | Example | Description |
|---|---|---|---|
| Email Domain | Yes | yourcompany.com | Your user email domain |
| Name | Yes | Your Company | Company Name |
| Slug | Yes | yourcompany | Company Name as a slug (alphanumeric characters only) |
| Google Workspace Domain | Yes | Google Workspace domain name for your organization. | |
| Client ID | Yes | Unique identifier for your registered Google application. | |
| Client Secret | Yes | String used to gain access to your registered Google application | |
| Logo Url | No | https://yourcompany.com/assets/logo.png | A URL to your logo to display on the login screen |
| Primary Color | No | #29B5E8 | A primary color for the login screen accents |
| Background Color | No | #F2F2F2 | A background color for the login screen background |
Microsoft Azure AD
Details you require:
| Item | Value | Description |
|---|---|---|
| Redirect URI | https://auth.dataops.live/login/callback | |
| DataOps Sign In Url | https://app.dataops.live/users/sign_in?feature_sso=true&org_id=YOUR_ORGANIZATION_ID | Your Single Sign-On URL (organization ID assigned by DataOps) |
Details we need:
| Item | Required | Example | Description |
|---|---|---|---|
| Email Domain | Yes | yourcompany.com | Your user email domain |
| Name | Yes | Your Company | Company Name |
| Slug | Yes | yourcompany | Company Name as a slug (alphanumeric characters only) |
| Microsoft Azure AD Domain | Yes | ||
| Client ID | Yes | ||
| Client Secret | Yes | ||
| Identity API | Yes | Microsoft Identity Platform (v2) or Azure Active Directory (v1) | |
| Protocol | Yes, if Azure AD V1 was chosen above | OpenID Connect or WS Federation | |
| App ID URI | Yes, if Azure AD V1 was chosen above | Application ID URI that was created when you configured your Web application in Azure to expose an API | |
| Logo Url | No | https://yourcompany.com/assets/logo.png | A URL to your logo to display on the login screen |
| Primary Color | No | #29B5E8 | A primary color for the login screen accents. |
| Background Color | No | #F2F2F2 | A background color for the login screen background |
ADFS
If you are setting up an SSO connection with ADFS between now and our planned improved account security role out, our support team will work with you to setup two connections so that you can transition smoothly.
For more information see Improved Account Security
Details you require:
| Item | Value | Description |
|---|---|---|
| Realm Identifier | urn:auth0:dataops | |
| Endpoint | https://auth.dataops.live/login/callback | |
| DataOps Sign In Url | https://app.dataops.live/users/sign_in?feature_sso=true&org_id=YOUR_ORGANIZATION_ID | Your Single Sign-On URL (organization ID assigned by DataOps) |
Details we need:
| Item | Required | Example | Description |
|---|---|---|---|
| Email Domain | Yes | yourcompany.com | Your user email domain |
| Name | Yes | Your Company | Company Name |
| Slug | Yes | yourcompany | Company Name as a slug (alphanumeric characters only) |
| Federation Metadata URL | Either URL (preferred) or File | URL to /FederationMetadata/2007-06/FederationMetadata.xml | URL to federated metadata that gets checked once a day for updates, e.g. for a certificate rollover |
| Federation Metadata File | Either URL (preferred) or File | Copy of the federated metadata XML file | |
| Logo Url | No | https://yourcompany.com/assets/logo.png | A URL to your logo to display on the login screen |
| Primary Color | No | #29B5E8 | A primary color for the login screen accents |
| Background Color | No | #F2F2F2 | A background color for the login screen background |
Ping Federate
If you are setting up an SSO connection with Ping Federate between now and our planned improved account security rollout, our Support team will work with you to set up two connections so that you can transition smoothly.
For more information, see Improved Account Security
Details you require:
| Item | Value | Description |
|---|---|---|
| Sign Request Certificate | Certificate so that the SAML IdP can validate the assertions' signature | |
| DataOps Sign In Url | https://app.dataops.live/users/sign_in?feature_sso=true&org_id=YOUR_ORGANIZATION_ID | Your Single Sign-On URL (organization ID assigned by DataOps) |
Details we need:
| Item | Required | Example | Description |
|---|---|---|---|
| Email Domain | Yes | yourcompany.com | Your user email domain |
| Name | Yes | Your Company | Company Name |
| Slug | Yes | yourcompany | Company Name as a slug (alphanumeric characters only) |
| Logo Url | No | https://yourcompany.com/assets/logo.png | A URL to your logo to display on the login screen |
| Primary Color | No | #29B5E8 | A primary color for the login screen accents |
| Background Color | No | #F2F2F2 | A background color for the login screen background |
| PingFederate Server URL | Yes | URL for your PingFederate Server | |
| X.509 Signing Certificate | Yes | PingFederate Server public key (encoded in PEM or CER) | |
| Sign Request Enabled | No | Yes or No | When enabled, the SAML authentication request will be signed |
| Sign Request Algorithm | No | RSASHA256 or RSASHA1 | Algorithm user to sign the SAML assertions |
| Sign Request Digest Algorithm | No | SHA256 or SHA1 | Algorithm user for the sign request digest |