SSO in DataRobot Managed AI Cloud¶
Availability information
Availability of single sign-on (SSO) is dependent on your DataRobot package. If it is not enabled for your organization, contact your DataRobot representative.
Required permission: "Enable SAML SSO"
DataRobot allows you to use external services (Identity Providers, known as IdPs) for user authentication through single sign-on (SSO) technology. DataRobot's SSO support is based on the SAML 2.0 protocol. To use SAML SSO in DataRobot, you will make changes to both the IdP and service provider (DataRobot) configurations.
Prerequisites¶
Before starting the SAML SSO configuration process:
- SAML for SSO must be enabled.
- The organization must have at least one Org/System admin; the admin will be responsible for SAML SSO configuration once it is enabled.
Contact your DataRobot representative to enable SAML SSO, and if necessary, to set up the first Org/System admin user (that user can then assign additional users to the Org/System admin role).
The following describes configuration necessary to enable SAML SSO for use with DataRobot. You will need information provided on DataRobobt's SAML SSO configuration page, which can be accessed from Settings > Manage SSO:
Identity Provider (IdP) configuration¶
To configure SAML SSO, you must first create a new SAML application with your IdP, identifying DataRobot as the service provider (SP). DataRobot does not provide a file containing the metadata required for IdP configuration, you must make complete manual configuration.
Note
Because configurations differ among IdPs, refer to your provider's documentation for related instructions.
The IdP SAML application/client setup will require the following information from the DataRobot SAML SSO configuration. Refer to the Service provider details section on the configuration screen for URL details:
| Requirement | Description | idaptive example |
|---|---|---|
| Service provider identifier | A string value that identifies the service provider. This must be the same string as the “Entity ID” field value from the DataRobot SSO configuration page. | SP Entity ID / Issuer / Audience |
| An endpoint URL from the service provider (DataRobot) that is responsible for receiving the SAML assertion from IdP. | The “IdP initiated login URL” field value (shown in the image above) from the DataRobot SSO configuration page. | Assertion Consumer Service URL |
Additionally, make sure that the following required configuration is complete on the IdP side. These images use the Idaptive (IdP) for illustration.
-
Note, both the Response and the Assertion must be signed. For example, when configuring Idaptive:
-
Map an attribute named “username” to the email field for the user (as per the IdP), to be included in the SAML response:
You can optionally include additional fields in the SAML response. These fields should correspond to the user attributes in the DataRobot SSO configuration page:
- Display name
- First name
- Last name
Finally, you must assign users—in the IdP—to the DataRobot application so that they can log in to DataRobot using their SSO credentials. To ensure everything is set up correctly between DataRobot and the IdP, best practice recommends you start by assigning a single user and test that access before assigning additional users.
DataRobot configuration¶
When logged in as an Org/System admin, open Settings > Manage SSO to see the three options available for setting up Entity ID and IdP Metadata for an organization, each described below.
At any point in your configuration, and at configuration completion, click Save and Authorize. The button is only active when the minimum required fields are complete.
"Entity ID" unsolicited¶
There are two entity IDs—one from the service provider (DataRobot) and from the IdP.
-
The Entity ID entered in the DataRobot SSO configuration is a unique string that serves as the service provider entity ID. This is what you enter when configuring service provider metadata for the DataRobot-specific SAML application on the IdP side.
-
If manually configuring IdP metadata for the DataRobot-side configuration, the Issuer field is the unique identifier of the Identity Provider (IdP), found on the IdP DataRobot-specific SAML application configuration. Normally, it is a URL of an identity provider.
Use a metadata URL¶
Complete the following fields:
| Field | Description |
|---|---|
| Name | Specify a meaningful name for the IdP configuration (for example, the organization name). This name will be used in the service provider details URL fields. Enter the name in lowercase, with no spaces. The value entered in this field updates the values provided in the Service provider details section. |
| Entity ID | An arbitrary, unique-per-organization string (for example, myorg_saml) that serves as the service provider Entity ID. Enter this value to establish a common identifier between DataRobot (SP) app and IdP SAML application. |
| Metadata URL | A URL provided by the IdP that points to an XML document with integration-specific information. The endpoint must be accessible to the DataRobot application. (For a local file, use the Metadata file option.) |
| Verify IdP Metadata HTTPS Certificate | If toggled on, the host certificate is validated for a given metadata URL. |
Upload a metadata file¶
Complete the following fields:
| Field | Description |
|---|---|
| Name | Specify a meaningful name for the IdP configuration (for example, the organization name). This name will be used in the service provider details URL fields. Enter the name in lowercase, with no spaces. The value entered in this field updates the values provided in the Service provider details section. |
| Entity ID | An arbitrary, unique-per-organization string (for example, myorg_saml) that serves as the service provider Entity ID. Enter this value to set a matching between DataRobot (SP) app and IdP SAML application. |
| Metadata file | An XML document, provided by the IdP, with integration-specific information. Use this if the IdP did not provide a metadata URL. |
Use manual settings¶
Complete the following fields:
| Field | Description |
|---|---|
| Name | Specify a meaningful name for the IdP configuration (for example, the organization name). This name will be used in the service provider details URL fields. Enter the name in lowercase, with no spaces. The value entered in this field updates the values provided in the Service provider details section. |
| Entity ID | An arbitrary, unique-per-organization string (for example, myorg_saml) that serves as the service provider Entity ID. Enter this value when manually configuring the IdP application for DataRobot. |
| Identity Provider Single Sign-On URL | The URL that DataRobot contacts to initiate login authentication for the user. This is obtained from the SAML application you created for DataRobot in the IdP configuration. |
| Identity Provider Single Sign-Out URL (optional) | The URL that DataRobot directs the user’s browser to after logout. This is obtained from the SAML application you created for DataRobot in the IdP configuration. If left blank, DatRobot redirects to the root DataRobot site. |
| Issuer | The IdP-provided Entity ID obtained from the SAML application you created for DataRobot in the IdP configuration. Note: Although the DataRobot UI shows this as optional, it is not and must be set correctly. |
| Certificate | The X.509 certificate, pasted or uploaded. Certificate is used for validating IdP signatures. This is obtained from the SAML application you created for DataRobot in the IdP configuration. |
Map DataRobot-to-IdP¶
All three configuration options allow you to set up mappings between your identity provider and DataRobot.
Mappings allow you to automatically provision users on DataRobot based on their settings in the IdP configuration. It also prevents individuals from teams not configured for DataRobot from entering the system. For example:
J_Doe joins Company A on Team A and J's manager sends a link to DataRobot. When J click's on the link, s/he's profile is automatically created in the DataRobot system based on the mappings from the identity provider. Permissions are assigned based on the role as defined by J's company and how that role is defined in the IdP configuration.
On the other hand, let's say J joins Company A on Team B, but Team B isn’t configured to use DataRobot. If J's manager send J a DataRobot link, when s/he clicks on the link access to DataRobot is denied and no user record is created.
Adding mappings both adds more restrictions on who can access DataRobot and also controls what users can access. Without mappings, anyone in your organization who was manually added to the DataRobot system by an administrator can access the platform.
You can set up the following mappings:
Attributes mapping¶
Attribute mapping allows you to map DataRobot attributes (data about the user) to the fields of the SAML response. In other words, because DataRobot and the IdP may use different names, this section allows you to configure the name of the field in the SAML response where DataRobot updates the user's display name, first name, last name, and email.
Groups mapping¶
Use the Groups mapping to create an unlimited number of mappings between IdP groups and existing DataRobot groups. Mappings can be one-to-one, one-to-many, or many-to-many.
To configure, set:
- Group attribute: The name, in the SAML response, that identifies the string as a group name.
- DataRobot group: The name of an existing DataRobot group to which the user will be assigned.
- Identity provider group: The name of the IdP group to which the user belongs.
Roles mapping¶
Use the Roles mapping to create an unlimited number of mappings between IdP and DataRobot roles. Mappings can be one-to-one, one-to-many, or many-to-many.
To configure, set:
- Role attribute: The name, in the SAML response, that identifies the string as a named user role.
- DataRobot role: The name of the DataRobot role to assign to the user.
- Identity provider role: The name of the role in the IdP configuration that is assigned to the user.
Set SSO requirements¶
After all fields are validated and connection is successful, choose whether to Enable single sign-on (making SSO optional for users) or Enforce single sign-on (making SSO required).
Note
Do not enforce sign on until you have completed configuration and testing.
If you have selected to enforce SSO, the username and password login is hidden and only the SSO login displays:
If SSO is optional, users can choose their login method:
In either case, if SSO is the login method, users are redirected to the IdP's authentication page after clicking the SSO button and then redirected to DataRobot after successful sign on.
Service provider details¶
When configuring the IdP, you must supply service provider sign-in and sign-out URLs from DataRobot. These are listed under Service provider details on the Single sign-on page.
Use the root URL, with the organization name appended. The organization name is the name assigned to your business by DataRobot, entered in lowercase with no spaces.
The following table describes the URLs:
| URL type | Root URL | Description | Okta example |
|---|---|---|---|
| SP initiated login URL | app.datarobot.com/sso/sign-in/<org_name> | The endpoint URL that the IdP receives service provider requests from (where the requests originate). | Recipient URL |
| IdP initiated login URL | app.datarobot.com/sso/signed-in/<org_name> | The endpoint URL that receives the SAML sign-in request from the IdP. | Single sign-on URL |
| IdP initiated logout URL | app.datarobot.com/sso/sign-out/<org_name> | Optional. The endpoint URL that receives the SAML sign-out request from the IdP. | N/A |