Authenticating Dataedo Portal with Okta (with SAML)

Applies to: Dataedo 24.x (current) versions, Article available also for: 10.x, 23.x

This guide will show how to configure Dataedo to work with a SAML identity provider. For this article, we'll be using Okta as the IdP, but similar steps can be taken for other providers too.

Initial configuration in Okta (SAML provider)

Login to Okta, then find the Applications > Applications tab:

Image title

Click the Create App Integration button, and select SAML 2.0, then click Next.

Image title

Choose an App name and logo, then click Next.

Image title

In the next screen, type in the address your Dataedo Portal will be accessed on followed by /api/api/auth/assertion-consumer (for example http://your-Dataedo-Web.address/api/api/auth/assertion-consumer).

Type in a uniquely identifying name of your choice in the Audience URI field. Note this name – you will need it for the issuer field in Dataedo settings.

Image title

Click Next, then fill the Feedback form or continue by pressing Finish.

You should see the Sign On settings screen looking like this:

Image title

Now you need to pass configuration info from Okta to Dataedo Web. The easiest way is to copy the link to dynamic configuration. To do this, right-click the Identity Provider metadata link and choose the Copy link address option. You will need this link later.

Image title

Make sure to assign users allowed access in the Assignments tab.

Configuring SAML in Dataedo Web settings file

Follow this section for Dataedo installed on a Windows machine.

Find the installation path of Dataedo Web (default address is: *C:\Users\\AppData\Local\Dataedo Web*), then go to Applications\API\ subfolder.

Right click and edit the appsettings.json file, and find the Saml2 section:

  "Saml2": {
    "IdPMetadata": "",
    "Issuer": "",
    "SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
    "CertificateValidationMode": "ChainTrust",
    "RevocationMode": "NoCheck"
  },

Paste the Identity Provider metadata link in the IdPMetadata field (alternatively, paste in the path for the metadata xml file).

Paste the name specified before in the Audience URI field in Okta in the Issuer field (you can check it in the SAML settings > Audience Restriction field in Okta).

If required, correct the signature algorithm if you don’t use the default RSA_SHA256 algorithm - for example, for RSA_SHA1 the field should have the http://www.w3.org/2001/04/xmldsig-more#rsa-sha1 value.

Find the Saml2Client section:

  "Saml2Client": {
    "DisplayName": "",
    "ClientUrl": "http://192.168.0.21:80"
  },

Fill the DisplayName field – this will be the name shown when logging in to Dataedo for the Identity Provider.

Make sure the ClientUrl field correctly leads to your Dataedo Web address.

After changes, the edited parts should look like this:

  "Saml2": {
    "IdPMetadata": "https://dev-09528757.okta.com/app/exk1cy8saliBpdSUh5d7/sso/saml/metadata",
    "Issuer": "unique_identifier",
    "SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
    "CertificateValidationMode": "ChainTrust",
    "RevocationMode": "NoCheck"
  },
  "Saml2Client": {
    "DisplayName": "Okta SAML",
    "ClientUrl": "http://192.168.0.21:80"
  },

Go to IIS Manager, and restart the Dataedo Web app for changes to take effect.

The next time you open Dataedo Web, you should have an option to login with Okta:

Image title

Clicking it will either take you to the Okta login page or if you’re already logged in, directly to your Dataedo Web page.

Configuring SAML in Dataedo Web Docker image

Follow this section for Web Catalog running from a Docker image.

Open .env file that should be located in same folder as docker-compose.yml file, find Single Sign On section:

    #Single Sign On
    DATAEDO_SSO_IDP_METADATA=
    DATAEDO_SSO_ISSUER=
    DATAEDO_SSO_SIGNATURE_ALGORITHM=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
    DATAEDO_SSO_CERTIFICATE_VALIDATION_MODE=ChainTrust
    DATAEDO_SSO_REVOCATION_MODE=NoCheck
    DATAEDO_SSO_DISPLAY_NAME=
    DATAEDO_SSO_CLIENT_URL=

Paste the Identity Provider metadata link in the DATAEDO_SSO_IDP_METADATA field (alternatively, paste in the path for the metadata xml file).

Paste the name specified before in the Audience URI field in Okta in the DATAEDO_SSO_ISSUER field (you can check it in the SAML settings > Audience Restriction field in Okta).

If required, correct the signature algorithm if you don’t use the default RSA_SHA256 algorithm - for example, for RSA_SHA1 the field should have the http://www.w3.org/2001/04/xmldsig-more#rsa-sha1 value.

Fill the DATAEDO_SSO_DISPLAY_NAME field – this will be the name shown when logging in to Dataedo for the Identity Provider. The DisplayName value cannot contain blank spaces (you can use underscore _ instead).

Make sure the DATAEDO_SSO_CLIENT_URL field correctly leads to your Dataedo Web address.

After changes, the edited parts should look like this:

    #Single Sign On
    DATAEDO_SSO_IDP_METADATA="https://dev-09528757.okta.com/app/exk1cy8saliBpdSUh5d7/sso/saml/metadata"
    DATAEDO_SSO_ISSUER="unique_identifier"
    DATAEDO_SSO_SIGNATURE_ALGORITHM=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
    DATAEDO_SSO_CERTIFICATE_VALIDATION_MODE=ChainTrust
    DATAEDO_SSO_REVOCATION_MODE=NoCheck
    DATAEDO_SSO_DISPLAY_NAME="Okta_SAML"
    DATAEDO_SSO_CLIENT_URL="https://yourwebiste.com/"

Update your Docker Compose with:

docker-compose up -d

The next time you open Dataedo Web, you should have an option to login with Okta:

Image title

Clicking it will either take you to the Okta login page or if you’re already logged in, directly to your Dataedo Web page.