SSO in DataRobot Managed AI Cloud¶
Availability information
Availability of single sign-on (SSO) is dependent on your DataRobot package. If it is not enabled for your organization, contact your DataRobot representative.
Required permission: Enable SAML SSO
DataRobot allows you to use external services (Identity Providers, known as IdPs) for user authentication through single sign-on (SSO) technology. DataRobot's SSO support is based on the SAML 2.0 protocol. To use SAML SSO in DataRobot, you must make changes to both the IdP and service provider (DataRobot) configurations.
The basic workflow for configuring SAML SSO is as follows:
- Review and complete the prerequisites.
- Configure SSO in your identity provider and identify DataRobot as the service provider.
-
Configure SSO in DataRobot:
- Choose a configuration option to set up the Entity ID and IdP metadata.
-
Use mapping to define how attributes, groups, and roles are synchronized between DataRobot and the IdP.
-
Set SSO requirements, including making SSO optional or required for all users.
Prerequisites¶
Make sure the following prerequisites are met before starting the SAML SSO configuration process:
- SAML for SSO is enabled.
- The organization has at least one Org/System admin; the admin will be responsible for SAML SSO configuration once it is enabled.
Contact your DataRobot representative to enable SAML SSO, and if necessary, to set up the first Org/System admin user (that user can then assign additional users to the Org/System admin role).
The following describes configuration necessary to enable SAML SSO for use with DataRobot. Admins can access the information required for setup on DataRobobt's SAML SSO configuration page, which can be accessed from Settings > Manage SSO:
Identity Provider (IdP) configuration¶
Note
- Because configurations differ among IdPs, refer to your provider's documentation for related instructions.
- DataRobot does not provide a file containing the metadata required for IdP configuration; you must manually configure this information.
When configuring the IdP, you must create a new SAML application with your IdP and identify DataRobot as the service provider (SP) by providing SP sign-in and sign-out URLs.
To retrieve this information in DataRobot, go to Settings > Manage SSO and locate Service provider details, which lists URL details.
Use the root URL with the organization name appended. The organization name is the name assigned to your business by DataRobot, entered in lowercase with no spaces.
The following table describes the URLs:
URL type | Root URL | Description | Okta example |
---|---|---|---|
SP initiated login URL | app.datarobot.com/sso/sign-in/<org_name> | The endpoint URL that the IdP receives service provider requests from (where the requests originate). | Recipient URL |
IdP initiated login URL | app.datarobot.com/sso/signed-in/<org_name> | The endpoint URL that receives the SAML sign-in request from the IdP. | Single sign-on URL |
IdP initiated logout URL | app.datarobot.com/sso/sign-out/<org_name> | Optional. The endpoint URL that receives the SAML sign-out request from the IdP. | N/A |
The tabs below provide example instructions for finishing IdP configuration in Okta, PingOne, and Azure Active Directory.
Third-party application screenshots
The following images were accurate at the time they were taken, however, they may not reflect the current user interface of the third-party application.
Make sure that the following required configuration is complete on the IdP side—this example uses Okta.
- If you don't already have an Okta developer account, sign up for free using your GitHub username or email.
- In Okta, click Applications > Applications in the left-hand navigation.
-
Click Create App Integration, select SAML 2.0, and click Next.
-
On the General Settings tab, enter a name for the application and click Next.
-
On the Configure SAML tab, fill in the following fields:
- Single sign-on URL
- Audience URI (SP Entity ID)
- Attribute Statement for
username
Note
The Single sign-on URL has
signed-in
at the end. The attributeusername
must be set touser.email
in order for SSO login to be successful with DataRobot. -
On the Feedback tab, select I’m a software vendor and click Finish.
-
With your new application selected, click Applications > Assignments and assign People or Groups to your app.
-
On the Sign On tab, locate the SAML Signing Certifiates section. Next to SHA-2, select Actions > View IdP metadata and copy the IdP metadata link address—you will need this to configure SSO in DataRobot.
Make sure that the following required configuration is complete on the IdP side—this example uses PingOne.
Configure the PingOne SSO Environment
-
In PingIdentity, navigate to the Your Environments page and click Add Environment.
-
Select Customer solution and click Next.
-
Click Next again.
-
Name the environemnt (
TestDataRobotSSOEnv
in this example) and click Finish.
Configure a PingOne SSO Application
-
Select the PingOne Environment you want to use to house your SSO application (
TestDataRobotSSOEnv
in this example). -
Click the Add a SAML app tile and open the Connections tab.
-
Click the + icon the right of the Applications.
-
Name the application (
TestDataRobotSSOApp
in this example), select SAML Application, and click Configure. -
Select Manually Enter; then copy and paste the following:
- Copy the IdP initiated login URL from DataRobot and paste it in the ACS URLs field.
- Copy the Entity ID from DataRobot and paste it in the Entity ID field.
-
Click Save.
-
On the Configuration tab, click the pencil icon.
-
Make sure Sign Assertation & Response is selected.
-
Scroll down to the Subject Named Format dropdown. Click the dropdown and select
urn:oasis:names:tc:SAML:2.0:name-id:transient
. -
Click Save.
-
Use the toggle to turn on the
TestDataRobotSSOApp
PingOne application. -
Save the IDP Metadata URL. You will need this to configure SSO in DataRobot.
Map Attributes
-
Click the Attribute Mappings tab and click the penicl icon.
-
Next to
saml_subject
, change the PingOne Mapping to Email Address. Click Add, enterusername
under Attributes, and select Email address for the the PingOne Mapping. -
Click Save.
Make sure that the following required configuration is complete on the IdP side—this example uses Azure Active Directory.
- Sign into Azure as a cloud application admin.
-
Navigate to Azure Active Directory > Enterprise applications and click + Create your own application.
-
Name the application, select Integrate any other application you don't find in the gallery (Non-gallery), and click Add.
-
On the Overview page, select Set up single sign on and select SAML as the single sign-on method.
-
Click the pencil icon to the right of Basic SAML Configuration. Populate the following fields:
- For Identifier (Entity ID), enter an arbitrary string.
- For Reply URL (Assertion Consumer Service URL), enter
<domain>/sso/saml/signed-in/
.
-
Click Save.
-
Click the pencil icon to the right of User Attributes & Claims. Delete all default additional claims and add the following claims:
username
as Name.Attribute
as Source.user.userprincipalname
as Source attribute.
Note
If the form prevents you from saving without a Namespace value, provide any string, click Save, and then edit it again to remove the Namespace value. After saving, the new claim appears in the table.
-
To make sure the test account has access to the application, open Users and groups in the left-hand navigation and click Add user.
-
Copy the Identifier (Entity ID) and App Federation Metadata URL—you will need these values to configure SSO in DataRobot.
After configuring SSO in the IdP, you can now configure SSO in DataRobot.
DataRobot configuration¶
Now, configure the IdP in DataRobot.
Saving progress
At any point in your configuration, and at configuration completion, click Save and Authorize. The button is only active when the minimum required fields are complete.
Configuration options¶
After configuring the IdP, you must configure SSO in DataRobot by setting up an Entity ID and IdP Metadata for your organization. There are two Entity IDs—one from the service provider (DataRobot) and one from the IdP:
- The Entity ID entered in the DataRobot SSO configuration is a unique string that serves as the service provider entity ID. This is what you enter when configuring service provider metadata for the DataRobot-specific SAML application on the IdP side.
- If manually configuring IdP metadata for the DataRobot-side configuration, the Issuer field is the unique identifier of the Identity Provider (IdP), found on the IdP DataRobot-specific SAML application configuration. Normally, it is a URL of an identity provider.
When logged in as an admin, open Settings > Manage SSO and click the Configure using dropdown to see the three options available to configure the IdP parameters (described in the tabs below).
Complete the following fields:
Field | Description |
---|---|
Name | Specify a meaningful name for the IdP configuration (for example, the organization name). This name will be used in the service provider details URL fields. Enter the name in lowercase, with no spaces. The value entered in this field updates the values provided in the Service provider details section. |
Entity ID | An arbitrary, unique-per-organization string (for example, myorg_saml) that serves as the service provider Entity ID. Enter this value to establish a common identifier between DataRobot (SP) app and IdP SAML application. |
Metadata URL | A URL provided by the IdP that points to an XML document with integration-specific information. The endpoint must be accessible to the DataRobot application. (For a local file, use the Metadata file option.) |
Verify IdP Metadata HTTPS Certificate | If toggled on, the host certificate is validated for a given metadata URL. |
Select Metadata file to provide IdP metadata as XML content.
Complete the following fields:
Field | Description |
---|---|
Name | Specify a meaningful name for the IdP configuration (for example, the organization name). This name will be used in the service provider details URL fields. Enter the name in lowercase, with no spaces. The value entered in this field updates the values provided in the Service provider details section. |
Entity ID | An arbitrary, unique-per-organization string (for example, myorg_saml) that serves as the service provider Entity ID. Enter this value to set a matching between DataRobot (SP) app and IdP SAML application. |
Metadata file | An XML document, provided by the IdP, with integration-specific information. Use this if the IdP did not provide a metadata URL. |
Select Manual settings if IdP metadata is not available.
Complete the following fields:
Field | Description |
---|---|
Name | Specify a meaningful name for the IdP configuration (for example, the organization name). This name will be used in the service provider details URL fields. Enter the name in lowercase, with no spaces. The value entered in this field updates the values provided in the Service provider details section. |
Entity ID | An arbitrary, unique-per-organization string (for example, myorg_saml) that serves as the service provider Entity ID. Enter this value when manually configuring the IdP application for DataRobot. |
Identity Provider Single Sign-On URL | The URL that DataRobot contacts to initiate login authentication for the user. This is obtained from the SAML application you created for DataRobot in the IdP configuration. |
Identity Provider Single Sign-Out URL (optional) | The URL that DataRobot directs the user’s browser to after logout. This is obtained from the SAML application you created for DataRobot in the IdP configuration. If left blank, DatRobot redirects to the root DataRobot site. |
Issuer | The IdP-provided Entity ID obtained from the SAML application you created for DataRobot in the IdP configuration. Note: Although the DataRobot UI shows this as optional, it is not and must be set correctly. |
Certificate | The X.509 certificate, pasted or uploaded. Certificate is used for validating IdP signatures. This is obtained from the SAML application you created for DataRobot in the IdP configuration. |
Mapping¶
All three configuration options allow you to define how attributes, groups, and roles are synchronized between DataRobot and the IdP.
Mappings allow you to automatically provision users on DataRobot based on their settings in the IdP configuration. It also prevents individuals from teams not configured for DataRobot from entering the system.
Adding mappings both adds more restrictions on who can access DataRobot and controls which assets users can access. Without mappings, anyone in your organization who was manually added to the DataRobot system by an administrator can access the platform.
Mapping example
J_Doe joins Company A on Team A and J's manager sends a link to DataRobot. When J click's on the link, s/he's profile is automatically created in the DataRobot system based on the mappings from the identity provider. Permissions are assigned based on the role as defined by J's company and how that role is defined in the IdP configuration.
On the other hand, let's say J joins Company A on Team B, but Team B isn’t configured to use DataRobot. If J's manager sends J a DataRobot link, when s/he clicks on the link, access to DataRobot is denied and no user record is created.
You can set up the following mappings:
Attribute mapping allows you to map DataRobot attributes (data about the user) to the fields of the SAML response. In other words, because DataRobot and the IdP may use different names, this section allows you to configure the name of the field in the SAML response where DataRobot updates the user's display name, first name, last name, and email.
Groups mapping allows you to create an unlimited number of mappings between IdP groups and existing DataRobot groups. Mappings can only be one-to-one.
To configure, set:
Field | Description |
---|---|
Group attribute | The name, in the SAML response, that identifies the string as a group name. |
DataRobot group | The name of an existing DataRobot group to which the user will be assigned. |
Identity provider group | The name of the IdP group to which the user belongs. |
Roles mapping allows you to create an unlimited number of mappings between IdP and DataRobot roles. Mappings can be one-to-one, one-to-many, or many-to-many.
To configure, set:
Field | Description |
---|---|
Role attribute | The name, in the SAML response, that identifies the string as a named user role. |
DataRobot role | The name of the DataRobot role to assign to the user. |
Identity provider role | The name of the role in the IdP configuration that is assigned to the user. |
Set SSO requirements¶
After all fields are validated and connection is successful, choose whether to make SSO optional or required using the toggles.
Toggle | Description |
---|---|
Enable single sign-on | Makes SSO optional for users. If enabled, users have the option to sign into DataRobot using SSO or another authentication method (i.e., username/password). |
Enforce single sign-on | Makes SSO required for users. If enabled, users in the organization must sign in using SSO. |
Note
Do not enforce sign on until you have completed configuration and testing.
Once SSO is configured, provide users with the SP initiated login URL to sign into DataRobot (found under Manage SSO > Service Provider Details). Managed AI Cloud users cannot access SSO via the login screen at app.datarobot.com
.
After clicking the SSO button in DataRobot, users are redirected to the IdP's authentication page and then redirected back to DataRobot after successful sign on.