Skip to content

Click in-app to access the full platform documentation for your version of DataRobot.

SSO in DataRobot AI Managed Cloud

Availability information

Single sign on (SSO) is available for Premium and Business Critical subscription packages.

Required permission: "Enable SAML SSO"

DataRobot allows you to use external services (Identity Providers, known as IdPs) for user authentication through single sign on (SSO) technology. DataRobot's SSO support is based on the SAML 2.0 protocol. To use SAML SSO in DataRobot, you will make changes to both the IdP and service provider (DataRobot) configurations.

Prerequisites

Before starting the SAML SSO configuration process:

  • SAML for SSO must be enabled.
  • The organization must have at least one Org/System admin; the admin will be responsible for SAML SSO configuration once it is enabled.

Contact your DataRobot representative to enable SAML SSO, and if necessary, to set up the first Org/System admin user (that user can then assign additional users to the Org/System admin role).

The following describes configuration necessary to enable SAML SSO for use with DataRobot. You will need information provided on DataRobobt's SAML SSO configuration page, which can be accessed from Settings > Manage SSO:

Identity Provider (IdP) configuration

To configure SAML SSO, you must first create a new SAML application with your IdP, identifying DataRobot as the service provider (SP). DataRobot does not provide a file containing the metadata required for IdP configuration, you must make complete manual configuration.

Note

Because configurations differ among IdPs, refer to your provider's documentation for related instructions.

The IdP SAML application/client setup will require the following information from the DataRobot SAML SSO configuration. Refer to the Service provider details section on the configuration screen for URL details:

Requirement Description idaptive example
Service provider identifier A string value that identifies the service provider. This must be the same string as the “Entity ID” field value from the DataRobot SSO configuration page. SP Entity ID / Issuer / Audience
An endpoint URL from the service provider (DataRobot) that is responsible for receiving the SAML assertion from IdP. The “IdP initiated login URL” field value (shown in the image above) from the DataRobot SSO configuration page. Assertion Consumer Service URL

Additionally, make sure that the following required configuration is complete on the IdP side. These images use the Idaptive (IdP) for illustration.

  1. Note, both the Response and the Assertion must be signed. For example, when configuring Idaptive:

  2. Map an attribute named “username” to the email field for the user (as per the IdP), to be included in the SAML response:

    You can optionally include additional fields in the SAML response. These fields should correspond to the user attributes in the DataRobot SSO configuration page:

    • Display name
    • First name
    • Last name
    • Email

Finally, you must assign users—in the IdP—to the DataRobot application so that they can log in to DataRobot using their SSO credentials. To ensure everything is set up correctly between DataRobot and the IdP, best practice recommends you start by assigning a single user and test that access before assigning additional users.

DataRobot configuration

When logged in as an Org/System admin, open Settings > Manage SSO to see the three options available for setting up Entity ID and IdP Metadata for an organization, each described below.

At any point in your configuration, and at configuration completion, click Save and Authorize. The button is only active when the minimum required fields are complete.

"Entity ID" unsolicited

There are two entity IDs—one from the service provider (DataRobot) and from the IdP.

  • The Entity ID entered in the DataRobot SSO configuration is a unique string that serves as the service provider entity ID. This is what you enter when configuring service provider metadata for the DataRobot-specific SAML application on the IdP side.

  • If manually configuring IdP metadata for the DataRobot-side configuration, the Issuer field is the unique identifier of the Identity Provider (IdP), found on the IdP DataRobot-specific SAML application configuration. Normally, it is a URL of an identity provider.

Use a metadata URL

Complete the following fields:

Field Description
Name Specify a meaningful name for the IdP configuration (for example, the organization name). This name will be used in the service provider details URL fields. Enter the name in lowercase, with no spaces. The value entered in this field updates the values provided in the Service provider details section.
Entity ID An arbitrary, unique-per-organization string (for example, myorg_saml) that serves as the service provider Entity ID. Enter this value to establish a common identifier between DataRobot (SP) app and IdP SAML application.
Metadata URL A URL provided by the IdP that points to an XML document with integration-specific information. The endpoint must be accessible to the DataRobot application. (For a local file, use the Metadata file option.)
Verify IdP Metadata HTTPS Certificate If toggled on, the host certificate is validated for a given metadata URL.

Upload a metadata file

Complete the following fields:

Field Description
Name Specify a meaningful name for the IdP configuration (for example, the organization name). This name will be used in the service provider details URL fields. Enter the name in lowercase, with no spaces. The value entered in this field updates the values provided in the Service provider details section.
Entity ID An arbitrary, unique-per-organization string (for example, myorg_saml) that serves as the service provider Entity ID. Enter this value to set a matching between DataRobot (SP) app and IdP SAML application.
Metadata file An XML document, provided by the IdP, with integration-specific information. Use this if the IdP did not provide a metadata URL.

Use manual settings

Complete the following fields:

Field Description
Name Specify a meaningful name for the IdP configuration (for example, the organization name). This name will be used in the service provider details URL fields. Enter the name in lowercase, with no spaces. The value entered in this field updates the values provided in the Service provider details section.
Entity ID An arbitrary, unique-per-organization string (for example, myorg_saml) that serves as the service provider Entity ID. Enter this value when manually configuring the IdP application for DataRobot.
Identity Provider Single Sign On URL The URL that DataRobot contacts to initiate login authentication for the user. This is obtained from the SAML application you created for DataRobot in the IdP configuration.
Identity Provider Single Sign-Out URL (optional) The URL that DataRobot directs the user’s browser to after logout. This is obtained from the SAML application you created for DataRobot in the IdP configuration. If left blank, DatRobot redirects to the root DataRobot site.
Issuer The IdP-provided Entity ID obtained from the SAML application you created for DataRobot in the IdP configuration. Note: Although the DataRobot UI shows this as optional, it is not and must be set correctly.
Certificate The X.509 certificate, pasted or uploaded. Certificate is used for validating IdP signatures. This is obtained from the SAML application you created for DataRobot in the IdP configuration.

Map DataRobot-to-IdP

All three configuration options allow you to set up mappings between your identity provider and DataRobot.

Mappings allow you to automatically provision users on DataRobot based on their settings in the IdP configuration. It also prevents individuals from teams not configured for DataRobot from entering the system. For example:

J_Doe joins Company A on Team A and J's manager sends a link to DataRobot. When J click's on the link, s/he's profile is automatically created in the DataRobot system based on the mappings from the identity provider. Permissions are assigned based on the role as defined by J's company and how that role is defined in the IdP configuration.

On the other hand, let's say J joins Company A on Team B, but Team B isn’t configured to use DataRobot. If J's manager send J a DataRobot link, when s/he clicks on the link access to DataRobot is denied and no user record is created.

Adding mappings both adds more restrictions on who can access DataRobot and also controls what users can access. Without mappings, anyone in your organization who was manually added to the DataRobot system by an administrator can access the platform.

You can set up the following mappings:

Attributes mapping

Attribute mapping allows you to map DataRobot attributes (data about the user) to the fields of the SAML response. In other words, because DataRobot and the IdP may use different names, this section allows you to configure the name of the field in the SAML response where DataRobot updates the user's display name, first name, last name, and email.

Groups mapping

Use the Groups mapping to create an unlimited number of mappings between IdP groups and existing DataRobot groups. Mappings can be one-to-one, one-to-many, or many-to-many.

To configure, set:

  • Role attribute: The name, in the SAML response, that identifies the string as a group name.
  • DataRobot role: The name of an existing DataRobot group to which the user will be assigned.
  • Identity provider group: The name of the IdP group to which the user belongs.

Roles mapping

Use the Roles mapping to create an unlimited number of mappings between IdP and DataRobot roles. Mappings can be one-to-one, one-to-many, or many-to-many.

To configure, set:

  • Role attribute: The name, in the SAML response, that identifies the string as a named user role.
  • DataRobot role: The name of the DataRobot role to assign to the user.
  • Identity provider group: The name of the role in the IdP configuration that is assigned to the user.

Set SSO requirements

After all fields are validated and connection is successful, choose whether to Enable single sign on (making SSO optional for users) or Enforce single sign on (making SSO required).

Note

Do not enforce sign on until you have completed configuration and testing.

If you have selected to enforce SSO, the username and password login is hidden and only the SSO login displays:

If SSO is optional, users can choose their login method:

In either case, if SSO is the login method, users are redirected to the IdP's authentication page after clicking the SSO button and then redirected to DataRobot after successful sign on.

Service provider details

When configuring the IdP, you must supply service provider sign-in and sign-out URLs from DataRobot. These are listed under Service provider details on the Single sign on page.

Use the root URL, with the organization name appended. The organization name is the name assigned to your business by DataRobot, entered in lowercase with no spaces.

The following table describes the URLs:

URL type Root URL Description Okta example
SP initiated login URL app.datarobot.com/sso/sign-in/<org_name> The endpoint URL that the IdP receives service provider requests from (where the requests originate). Recipient URL
IdP initiated login URL app.datarobot.com/sso/signed-in/<org_name> The endpoint URL that receives the SAML sign-in request from the IdP. Single sign on URL
IdP initiated logout URL app.datarobot.com/sso/sign-out/<org_name> Optional. The endpoint URL that receives the SAML sign-out request from the IdP. N/A

Updated November 8, 2021
Back to top