Skip to main content

Single Sign-On

Overview

DataOps supports Single Sign-On for the following connections:

  • SAML 2.0
  • OpenID Connect
  • Okta
  • Google Workspace
  • Microsoft Azure AD
  • Active Directory Federation Services (ADFS)
  • Ping Federate

Each connection is associated with an email domain that your enterprise must have complete ownership of.

Supported Flows

Sign on with SSO

Existing DataOps users are matched by email address when logging into the DataOps app using SSO. Their identities will be associated with this particular email address. Additionally, users will maintain the same permissions as they initially had. Group membership is managed locally within the DataOps app.

Sign up with SSO

When a user signs in via SSO without an existing DataOps login, the system will create a login for them, but it will not be associated with a group. They must talk to their DataOps admin to be linked to the correct groups.

Note that the user doesn't have a password set within DataOps.live with SSO enabled. Follow these steps to work with Git locally.

Supported Connections

SSO setup requires some coordination with DataOps. Below is the required information for each connection type.

SAML 2.0

Details you require:

ItemValueDescription
Connection NameTo be agreed, usually your company name as a slug
POST-back URLhttps://dataops.eu.auth0.com/login/callback?connection=YOUR_CONNECTION_NAMEAlso called Assertion Consumer Service URL
The Entity IDurn:auth0:dataops:YOUR_CONNECTION_NAME
Sign Request CertificateCertificate so that the SAML IdP can validate the assertions' signature.
DataOps Sign In Urlhttps://app.dataops.live/users/sign_in?feature_sso=true&org_id=YOUR_ORGANIZATION_IDYour Single Sign-On URL (organization ID assigned by DataOps)

Details we need:

ItemRequiredExampleDescription
Email DomainYesyourcompany.comYour user email domain
NameYesYour CompanyCompany Name
SlugYesyourcompanyCompany Name as a slug (alphanumeric characters only)
Logo UrlNohttps://yourcompany.com/assets/logo.pngA URL to your logo to display on the login screen
Primary ColorNo#29B5E8A primary color for the login screen accents
Background ColorNo#F2F2F2A background color for the login screen background
Sign In URLYesSAML single login URL
X.509 Signing CertificateYesSigning certificate (encoded in PEM or CER) you retrieved from the IdP earlier in this process.
Sign Out URLNoSAML single logout URL
User ID AttributeNoAttribute in the SAML token that will be mapped to the user_id property.
Sign Request EnabledNoYes or NoWhen enabled, the SAML authentication request will be signed
Sign Request AlgorithmNoRSASHA256 or RSASHA1Algorithm user to sign the SAML assertions
Sign Request Digest AlgorithmNoSHA256 or SHA1Algorithm user for the sign request digest
Protocol BindingNoHTTP-Redirect or HTTP-POSTHTTP binding supported by the IdP
Request TemplateNoTemplate that formats the SAML request

OpenID Connect

Details you require:

ItemValueDescription
Callback URLhttps://dataops.eu.auth0.com/login/callbackOIDC Callback URL
DataOps Sign In Urlhttps://app.dataops.live/users/sign_in?feature_sso=true&org_id=YOUR_ORGANIZATION_IDYour Single Sign-On URL (organization ID assigned by DataOps)

Details we need:

ItemRequiredExampleDescription
Email DomainYesyourcompany.comYour user email domain
NameYesYour CompanyCompany Name
SlugYesyourcompanyCompany Name as a slug (alphanumeric characters only)
Issuer URLYesURL where we can find the OpenID Provider Configuration Document, which should normally be available in the /.well-known/openid-configuration endpoint. You can enter the base URL or the full URL
Client IDYesUnique identifier for your registered application
Logo UrlNohttps://yourcompany.com/assets/logo.pngA URL to your logo to display on the login screen
Primary ColorNo#29B5E8A primary color for the login screen accents
Background ColorNo#F2F2F2A background color for the login screen background

Okta

Okta is supported by the OpenID Connect enterprise connection above.

In the case of Okta, the Issuer URL should be either https://<YOUR_OKTA_DOMAIN>/.well-known/openid-configuration or https://<YOUR_OKTA_DOMAIN>/oauth2/<AUTH_SERVER_ID>/.well-known/.

The Client ID will be provided by Okta for your DataOps app when you create the connection.

Google Workspace

Details you require:

ItemValueDescription
Authorized JavaScript originshttps://dataops.eu.auth0.com/
Authorized redirect URIshttps://dataops.eu.auth0.com/login/callback
DataOps Sign In Urlhttps://app.dataops.live/users/sign_in?feature_sso=true&org_id=YOUR_ORGANIZATION_IDYour Single Sign-On URL (organization ID assigned by DataOps)

Details we need:

ItemRequiredExampleDescription
Email DomainYesyourcompany.comYour user email domain
NameYesYour CompanyCompany Name
SlugYesyourcompanyCompany Name as a slug (alphanumeric characters only)
Google Workspace DomainYesGoogle Workspace domain name for your organization.
Client IDYesUnique identifier for your registered Google application.
Client SecretYesString used to gain access to your registered Google application
Logo UrlNohttps://yourcompany.com/assets/logo.png A URL to your logo to display on the login screen
Primary ColorNo#29B5E8A primary color for the login screen accents
Background ColorNo#F2F2F2A background color for the login screen background

Microsoft Azure AD

Details you require:

ItemValueDescription
Redirect URIhttps://dataops.eu.auth0.com/login/callback
DataOps Sign In Urlhttps://app.dataops.live/users/sign_in?feature_sso=true&org_id=YOUR_ORGANIZATION_IDYour Single Sign-On URL (organization ID assigned by DataOps)

Details we need:

ItemRequiredExampleDescription
Email DomainYesyourcompany.comYour user email domain
NameYesYour CompanyCompany Name
SlugYesyourcompanyCompany Name as a slug (alphanumeric characters only)
Microsoft Azure AD DomainYes
Client IDYes
Client SecretYes
Identity APIYesMicrosoft Identity Platform (v2) or Azure Active Directory (v1)
ProtocolYes, if Azure AD V1 was chosen aboveOpenID Connect or WS Federation
App ID URIYes, if Azure AD V1 was chosen aboveApplication ID URI that was created when you configured your Web application in Azure to expose an API
Logo UrlNohttps://yourcompany.com/assets/logo.pngA URL to your logo to display on the login screen
Primary ColorNo#29B5E8A primary color for the login screen accents.
Background ColorNo#F2F2F2A background color for the login screen background

ADFS

Details you require:

ItemValueDescription
Realm Identifierurn:auth0:dataops
Endpointhttps://dataops.eu.auth0.com/login/callback
DataOps Sign In Urlhttps://app.dataops.live/users/sign_in?feature_sso=true&org_id=YOUR_ORGANIZATION_IDYour Single Sign-On URL (organization ID assigned by DataOps)

Details we need:

ItemRequiredExampleDescription
Email DomainYesyourcompany.comYour user email domain
NameYesYour CompanyCompany Name
SlugYesyourcompanyCompany Name as a slug (alphanumeric characters only)
Federation Metadata URLEither URL (preferred) or FileURL to /FederationMetadata/2007-06/FederationMetadata.xmlURL to federated metadata that gets checked once a day for updates, e.g. for a certificate rollover
Federation Metadata FileEither URL (preferred) or FileCopy of the federated metadata XML file
Logo UrlNohttps://yourcompany.com/assets/logo.pngA URL to your logo to display on the login screen
Primary ColorNo#29B5E8A primary color for the login screen accents
Background ColorNo#F2F2F2A background color for the login screen background

Ping Federate

Details you require:

ItemValueDescription
Sign Request CertificateCertificate so that the SAML IdP can validate the assertions' signature
DataOps Sign In Urlhttps://app.dataops.live/users/sign_in?feature_sso=true&org_id=YOUR_ORGANIZATION_IDYour Single Sign-On URL (organization ID assigned by DataOps)

Details we need:

ItemRequiredExampleDescription
Email DomainYesyourcompany.comYour user email domain
NameYesYour CompanyCompany Name
SlugYesyourcompanyCompany Name as a slug (alphanumeric characters only)
Logo UrlNohttps://yourcompany.com/assets/logo.pngA URL to your logo to display on the login screen
Primary ColorNo#29B5E8A primary color for the login screen accents
Background ColorNo#F2F2F2A background color for the login screen background
PingFederate Server URLYesURL for your PingFederate Server
X.509 Signing CertificateYesPingFederate Server public key (encoded in PEM or CER)
Sign Request EnabledNoYes or NoWhen enabled, the SAML authentication request will be signed
Sign Request AlgorithmNoRSASHA256 or RSASHA1Algorithm user to sign the SAML assertions
Sign Request Digest AlgorithmNoSHA256 or SHA1Algorithm user for the sign request digest