Skip to main content

Set up SSO with Okta

Enterprise feature

This guide describes a feature of the dbt Cloud Enterprise plan. If you’re interested in learning more about an Enterprise plan, contact us at sales@getdbt.com.

These SSO configuration documents apply to multi-tenant Enterprise deployments only.

Okta SSO

dbt Cloud Enterprise supports single-sign on via Okta (using SAML). Currently supported features include:

  • IdP-initiated SSO
  • SP-initiated SSO
  • Just-in-time provisioning

This guide outlines the setup process for authenticating to dbt Cloud with Okta.

Configuration in Okta

Create a new application

Note: You'll need administrator access to your Okta organization to follow this guide.

First, log into your Okta account. Using the Admin dashboard, create a new app.

Create a new appCreate a new app

On the following screen, select the following configurations:

  • Platform: Web
  • Sign on method: SAML 2.0

Click Create to continue the setup process.

Configure a new appConfigure a new app

Configure the Okta application

On the General Settings page, enter the following details::

  • App name: dbt Cloud
  • App logo (optional): You can optionally download the dbt logo, and upload it to Okta to use as the logo for this app.

Click Next to continue.

Configure the app's General SettingsConfigure the app's General Settings

Configure SAML Settings

The SAML Settings page configures how Okta and dbt Cloud communicate. You will want to use an appropriate Access URL for your region and plan.

To complete this section, you will need a login slug. This slug controls the URL where users on your account can log into your application via Okta. Login slugs are typically the lowercased name of your organization separated with dashes. It should contain only letters, numbers, and dashes. For example, the login slug for dbt Labs would be dbt-labs. Login slugs must be unique across all dbt Cloud accounts, so pick a slug that uniquely identifies your company.

The following steps use YOUR_AUTH0_URI and YOUR_AUTH0_ENTITYID, which need to be replaced with the appropriate Auth0 SSO URI and Auth0 Entity ID for your region.

  • Single sign on URL: https://YOUR_AUTH0_URI/login/callback?connection=<login slug>
  • Audience URI (SP Entity ID): urn:auth0:<YOUR_AUTH0_ENTITYID>:{login slug}
  • Relay State: <login slug>
  • Name ID format: Unspecified
  • Application username: Custom / user.getInternalProperty("id")
  • Update Application username on: Create and update
Configure the app's SAML SettingsConfigure the app's SAML Settings

Use the Attribute Statements and Group Attribute Statements forms to map your organization's Okta User and Group Attributes to the format that dbt Cloud expects.

Expected User Attribute Statements:

NameName formatValueDescription
emailUnspecifieduser.emailThe user's email address
first_nameUnspecifieduser.firstNameThe user's first name
last_nameUnspecifieduser.lastNameThe user's last name

Expected Group Attribute Statements:

NameName formatFilterValueDescription
groupsUnspecifiedMatches regex.*The groups that the user belongs to

Note: You may use a more restrictive Group Attribute Statement than the example shown above. For example, if all of your dbt Cloud groups start with DBT_CLOUD_, you may use a filter like Starts With: DBT_CLOUD_. Okta only returns 100 groups for each user, so if your users belong to more than 100 IdP groups, you will need to use a more restrictive filter. Please contact support if you have any questions.

Configure the app's User and Group Attribute StatementsConfigure the app's User and Group Attribute Statements

Click Next to continue.

Finish Okta setup

Select I'm an Okta customer adding an internal app, and select This is an internal app that we have created. Click Finish to finish setting up the app.

Finishing setup in OktaFinishing setup in Okta

View setup instructions

On the next page, click View Setup Instructions. In the steps below, you'll supply these values in your dbt Cloud Account Settings to complete the integration between Okta and dbt Cloud.

Viewing the configured applicationViewing the configured application
Application setup instructionsApplication setup instructions

Configuration in dbt Cloud

To complete setup, follow the steps below in dbt Cloud.

Supplying credentials

First, navigate to the Enterprise > Single Sign On page under Account Settings. Next, click the Edit button and supply the following SSO details:

Login Slugs

The slug configured here should have the same value as the Okta RelayState configured in the steps above.

FieldValue
Log in withOkta
Identity Provider SSO UrlPaste the Identity Provider Single Sign-On URL shown in the Okta setup instructions
Identity Provider IssuerPaste the Identity Provider Issuer shown in the Okta setup instructions
X.509 CertificatePaste the X.509 Certificate shown in the Okta setup instructions;
Note: When the certificate expires, an Okta admin will have to generate a new one to be pasted into dbt Cloud for uninterrupted application access.
SlugEnter your desired login slug. Users will be able to log into dbt Cloud by navigating to https://YOUR_ACCESS_URL/enterprise-login/LOGIN-SLUG, replacing YOUR_ACCESS_URL with the appropriate Access URL for your region and plan. Login slugs must be unique across all dbt Cloud accounts, so pick a slug that uniquely identifies your company.
Configuring the application in dbt CloudConfiguring the application in dbt Cloud
  1. Click Save to complete setup for the Okta integration. From here, you can navigate to the URL generated for your account's slug to test logging in with Okta. Additionally, users added the the Okta app will be able to log in to dbt Cloud from Okta directly.
Logging in

Users can now log into the dbt Cloud by navigating to the following URL, replacing LOGIN-SLUG with the value used in the previous steps and YOUR_ACCESS_URL with the appropriate Access URL for your region and plan:

https://YOUR_ACCESS_URL/enterprise-login/LOGIN-SLUG

Setting up RBAC

Now you have completed setting up SSO with Okta, the next steps will be to set up RBAC groups to complete your access control configuration.

0