Skip to content

On-premise users: click in-app to access the full platform documentation for your version of DataRobot.

Authentication

The information in this section provides information on authentication in DataRobot.

Topic Describes...
SSO Configure DataRobot and an external Identity Provider (IdP) for user authentication via single sign-on (SSO).
Two-factor authentication Set up two-factor authentication (2FA).
API key management Access tools for working with prediction requests for the DataRobot API.

Authentication in DataRobot

DataRobot ensures authentication and security using a variety of techniques. When using the database connectivity feature, for example, you are prompted for your database username and password credentials each time you perform an operation that accesses your organization's data sources. The password is encrypted before passing through DataRobot components and is only decrypted when DataRobot establishes a connection to the database. DataRobot does not store the username or password in any format.

To log into the application website, users can choose to authenticate by providing a username and password or they can delegate authentication to Google. The authentication process is handled over HTTPS using TLS 1.2 to the application server. When the user sets their password, it is securely stored in the database pictured above. Before the password is stored, it is hashed and uniquely salted using SHA-512 and further protected with Password-Based Key Derivation Function 2 (BPKDF2). The original password is discarded and never permanently stored.

To log into the application website, users can choose to authenticate by providing a username and password or delegate authentication to LDAP. SSO using SAML 2.0 is also supported. The authentication process is handled over HTTPS using TLS 1.2 to the application server. When the user sets their password, it is securely stored in the database pictured above. Before the password is stored, it is hashed and uniquely salted using SHA-512 and further protected with Password-Based Key Derivation Function 2 (BPKDF2). The original password is discarded and never permanently stored.

DataRobot also provides enhancements to password-based authentication, including support for multifactor authentication (MFA) with software tokens generated using Time-based One-time Password (TOTP).

All API communications use TLS 1.2 to protect the confidentiality of authentication materials. When interacting with the DataRobot API, authentication is performed using a bearer token contained in the HTTP Authorization header. Use the same authentication method when interacting with prediction servers via the API. While it is possible to authenticate using a username + API token (basic authentication) or just via an API token, these authentication methods are deprecated and not recommended. An additional HTTP Header named datarobot-key is also required to further limit access to the prediction servers.


Updated May 2, 2023