Skip to content

Click in-app to access the full platform documentation for your version of DataRobot.

SSO in DataRobot Managed AI Cloud

Availability information

Availability of single sign-on (SSO) is dependent on your DataRobot package. If it is not enabled for your organization, contact your DataRobot representative.

Required permission: Enable SAML SSO

DataRobot allows you to use external services (Identity Providers, known as IdPs) for user authentication through single sign-on (SSO) technology. DataRobot's SSO support is based on the SAML 2.0 protocol. To use SAML SSO in DataRobot, you must make changes to both the IdP and service provider (DataRobot) configurations.

The basic workflow for configuring SAML SSO is as follows:

  1. Review and complete the prerequisites.
  2. Configure SSO in your identity provider and identify DataRobot as the service provider.
  3. Configure SSO in DataRobot:

    • Choose a configuration option to set up the Entity ID and IdP metadata.
    • Use mapping to define how attributes, groups, and roles are synchronized between DataRobot and the IdP.

    • Set SSO requirements, including making SSO optional or required for all users.

Prerequisites

Make sure the following prerequisites are met before starting the SAML SSO configuration process:

  • SAML for SSO is enabled.
  • The organization has at least one Org/System admin; the admin will be responsible for SAML SSO configuration once it is enabled.

Contact your DataRobot representative to enable SAML SSO, and if necessary, to set up the first Org/System admin user (that user can then assign additional users to the Org/System admin role).

The following describes configuration necessary to enable SAML SSO for use with DataRobot. Admins can access the information required for setup on DataRobobt's SAML SSO configuration page, which can be accessed from Settings > Manage SSO:

Identity Provider (IdP) configuration

Note

  • Because configurations differ among IdPs, refer to your provider's documentation for related instructions.
  • DataRobot does not provide a file containing the metadata required for IdP configuration; you must manually configure this information.

When configuring the IdP, you must create a new SAML application with your IdP and identify DataRobot as the service provider (SP) by providing SP sign-in and sign-out URLs.

To retrieve this information in DataRobot, go to Settings > Manage SSO and locate Service provider details, which lists URL details.

Use the root URL with the organization name appended. The organization name is the name assigned to your business by DataRobot, entered in lowercase with no spaces.

The following table describes the URLs:

URL type Root URL Description Okta example
SP initiated login URL app.datarobot.com/sso/sign-in/<org_name> The endpoint URL that the IdP receives service provider requests from (where the requests originate). Recipient URL
IdP initiated login URL app.datarobot.com/sso/signed-in/<org_name> The endpoint URL that receives the SAML sign-in request from the IdP. Single sign-on URL
IdP initiated logout URL app.datarobot.com/sso/sign-out/<org_name> Optional. The endpoint URL that receives the SAML sign-out request from the IdP. N/A

The tabs below provide example instructions for finishing IdP configuration in Okta, PingOne, and Azure Active Directory.

Third-party application screenshots

The following images were accurate at the time they were taken, however, they may not reflect the current user interface of the third-party application.

Make sure that the following required configuration is complete on the IdP side—this example uses Okta.

  1. If you don't already have an Okta developer account, sign up for free using your GitHub username or email.
  2. In Okta, click Applications > Applications in the left-hand navigation.
  3. Click Create App Integration, select SAML 2.0, and click Next.

  4. On the General Settings tab, enter a name for the application and click Next.

  5. On the Configure SAML tab, fill in the following fields:

    • Single sign-on URL
    • Audience URI (SP Entity ID)
    • Attribute Statement for username

    Note

    The Single sign-on URL has signed-in at the end. The attribute username must be set to user.email in order for SSO login to be successful with DataRobot.

  6. On the Feedback tab, select I’m a software vendor and click Finish.

  7. With your new application selected, click Applications > Assignments and assign People or Groups to your app.

  8. On the Sign On tab, locate the SAML Signing Certifiates section. Next to SHA-2, select Actions > View IdP metadata and copy the IdP metadata link address—you will need this to configure SSO in DataRobot.

Make sure that the following required configuration is complete on the IdP side—this example uses PingOne.

Configure the PingOne SSO Environment

  1. In PingIdentity, navigate to the Your Environments page and click Add Environment.

  2. Select Customer solution and click Next.

  3. Click Next again.

  4. Name the environemnt (TestDataRobotSSOEnv in this example) and click Finish.

Configure a PingOne SSO Application

  1. Select the PingOne Environment you want to use to house your SSO application (TestDataRobotSSOEnv in this example).

  2. Click the Add a SAML app tile and open the Connections tab.

  3. Click the + icon the right of the Applications.

  4. Name the application (TestDataRobotSSOApp in this example), select SAML Application, and click Configure.

  5. Select Manually Enter; then copy and paste the following:

  6. Click Save.

  7. On the Configuration tab, click the pencil icon.

  8. Make sure Sign Assertation & Response is selected.

  9. Scroll down to the Subject Named Format dropdown. Click the dropdown and select urn:oasis:names:tc:SAML:2.0:name-id:transient.

  10. Click Save.

  11. Use the toggle to turn on the TestDataRobotSSOApp PingOne application.

  12. Save the IDP Metadata URL. You will need this to configure SSO in DataRobot.

Map Attributes

  1. Click the Attribute Mappings tab and click the penicl icon.

  2. Next to saml_subject, change the PingOne Mapping to Email Address. Click Add, enter username under Attributes, and select Email address for the the PingOne Mapping.

  3. Click Save.

Make sure that the following required configuration is complete on the IdP side—this example uses Azure Active Directory.

  1. Sign into Azure as a cloud application admin.
  2. Navigate to Azure Active Directory > Enterprise applications and click + Create your own application.

  3. Name the application, select Integrate any other application you don't find in the gallery (Non-gallery), and click Add.

  4. On the Overview page, select Set up single sign on and select SAML as the single sign-on method.

  5. Click the pencil icon to the right of Basic SAML Configuration. Populate the following fields:

    • For Identifier (Entity ID), enter an arbitrary string.
    • For Reply URL (Assertion Consumer Service URL), enter <domain>/sso/saml/signed-in/.

  6. Click Save.

  7. Click the pencil icon to the right of User Attributes & Claims. Delete all default additional claims and add the following claims:

    • username as Name.
    • Attribute as Source.
    • user.userprincipalname as Source attribute.

    Note

    If the form prevents you from saving without a Namespace value, provide any string, click Save, and then edit it again to remove the Namespace value. After saving, the new claim appears in the table.

  8. To make sure the test account has access to the application, open Users and groups in the left-hand navigation and click Add user.

  9. Copy the Identifier (Entity ID) and App Federation Metadata URL—you will need these values to configure SSO in DataRobot.

After configuring SSO in the IdP, you can now configure SSO in DataRobot.

DataRobot configuration

Now, configure the IdP in DataRobot.

Saving progress

At any point in your configuration, and at configuration completion, click Save and Authorize. The button is only active when the minimum required fields are complete.

Configuration options

After configuring the IdP, you must configure SSO in DataRobot by setting up an Entity ID and IdP Metadata for your organization. There are two Entity IDs—one from the service provider (DataRobot) and one from the IdP:

  • The Entity ID entered in the DataRobot SSO configuration is a unique string that serves as the service provider entity ID. This is what you enter when configuring service provider metadata for the DataRobot-specific SAML application on the IdP side.
  • If manually configuring IdP metadata for the DataRobot-side configuration, the Issuer field is the unique identifier of the Identity Provider (IdP), found on the IdP DataRobot-specific SAML application configuration. Normally, it is a URL of an identity provider.

When logged in as an admin, open Settings > Manage SSO and click the Configure using dropdown to see the three options available to configure the IdP parameters (described in the tabs below).

Complete the following fields:

Field Description
Name Specify a meaningful name for the IdP configuration (for example, the organization name). This name will be used in the service provider details URL fields. Enter the name in lowercase, with no spaces. The value entered in this field updates the values provided in the Service provider details section.
Entity ID An arbitrary, unique-per-organization string (for example, myorg_saml) that serves as the service provider Entity ID. Enter this value to establish a common identifier between DataRobot (SP) app and IdP SAML application.
Metadata URL A URL provided by the IdP that points to an XML document with integration-specific information. The endpoint must be accessible to the DataRobot application. (For a local file, use the Metadata file option.)
Verify IdP Metadata HTTPS Certificate If toggled on, the host certificate is validated for a given metadata URL.

Select Metadata file to provide IdP metadata as XML content.

Complete the following fields:

Field Description
Name Specify a meaningful name for the IdP configuration (for example, the organization name). This name will be used in the service provider details URL fields. Enter the name in lowercase, with no spaces. The value entered in this field updates the values provided in the Service provider details section.
Entity ID An arbitrary, unique-per-organization string (for example, myorg_saml) that serves as the service provider Entity ID. Enter this value to set a matching between DataRobot (SP) app and IdP SAML application.
Metadata file An XML document, provided by the IdP, with integration-specific information. Use this if the IdP did not provide a metadata URL.

Select Manual settings if IdP metadata is not available.

Complete the following fields:

Field Description
Name Specify a meaningful name for the IdP configuration (for example, the organization name). This name will be used in the service provider details URL fields. Enter the name in lowercase, with no spaces. The value entered in this field updates the values provided in the Service provider details section.
Entity ID An arbitrary, unique-per-organization string (for example, myorg_saml) that serves as the service provider Entity ID. Enter this value when manually configuring the IdP application for DataRobot.
Identity Provider Single Sign-On URL The URL that DataRobot contacts to initiate login authentication for the user. This is obtained from the SAML application you created for DataRobot in the IdP configuration.
Identity Provider Single Sign-Out URL (optional) The URL that DataRobot directs the user’s browser to after logout. This is obtained from the SAML application you created for DataRobot in the IdP configuration. If left blank, DatRobot redirects to the root DataRobot site.
Issuer The IdP-provided Entity ID obtained from the SAML application you created for DataRobot in the IdP configuration. Note: Although the DataRobot UI shows this as optional, it is not and must be set correctly.
Certificate The X.509 certificate, pasted or uploaded. Certificate is used for validating IdP signatures. This is obtained from the SAML application you created for DataRobot in the IdP configuration.

Mapping

All three configuration options allow you to define how attributes, groups, and roles are synchronized between DataRobot and the IdP.

Mappings allow you to automatically provision users on DataRobot based on their settings in the IdP configuration. It also prevents individuals from teams not configured for DataRobot from entering the system.

Adding mappings both adds more restrictions on who can access DataRobot and controls which assets users can access. Without mappings, anyone in your organization who was manually added to the DataRobot system by an administrator can access the platform.

Mapping example

J_Doe joins Company A on Team A and J's manager sends a link to DataRobot. When J click's on the link, s/he's profile is automatically created in the DataRobot system based on the mappings from the identity provider. Permissions are assigned based on the role as defined by J's company and how that role is defined in the IdP configuration.

On the other hand, let's say J joins Company A on Team B, but Team B isn’t configured to use DataRobot. If J's manager sends J a DataRobot link, when s/he clicks on the link, access to DataRobot is denied and no user record is created.

You can set up the following mappings:

Attribute mapping allows you to map DataRobot attributes (data about the user) to the fields of the SAML response. In other words, because DataRobot and the IdP may use different names, this section allows you to configure the name of the field in the SAML response where DataRobot updates the user's display name, first name, last name, and email.

Groups mapping allows you to create an unlimited number of mappings between IdP groups and existing DataRobot groups. Mappings can only be one-to-one.

To configure, set:

Field Description
Group attribute The name, in the SAML response, that identifies the string as a group name.
DataRobot group The name of an existing DataRobot group to which the user will be assigned.
Identity provider group The name of the IdP group to which the user belongs.

Roles mapping allows you to create an unlimited number of mappings between IdP and DataRobot roles. Mappings can be one-to-one, one-to-many, or many-to-many.

To configure, set:

Field Description
Role attribute The name, in the SAML response, that identifies the string as a named user role.
DataRobot role The name of the DataRobot role to assign to the user.
Identity provider role The name of the role in the IdP configuration that is assigned to the user.

Set SSO requirements

After all fields are validated and connection is successful, choose whether to make SSO optional or required using the toggles.

Toggle Description
Enable single sign-on Makes SSO optional for users. If enabled, users have the option to sign into DataRobot using SSO or another authentication method (i.e., username/password).
Enforce single sign-on Makes SSO required for users. If enabled, users in the organization must sign in using SSO.

Note

Do not enforce sign on until you have completed configuration and testing.

Once SSO is configured, provide users with the SP initiated login URL to sign into DataRobot (found under Manage SSO > Service Provider Details). Managed AI Cloud users cannot access SSO via the login screen at app.datarobot.com.

After clicking the SSO button in DataRobot, users are redirected to the IdP's authentication page and then redirected back to DataRobot after successful sign on.


Updated January 4, 2023
Back to top