Okta (OIDC)
Okta SSO is available for both SaaS and dedicated cloud installations of Datafold.
Create Okta App Integration
Creating an App Integration in Okta may require admin privileges.
Start the integration by creating a web app integration in Okta.
Next, log in to Okta interface and navigate to Applications and click Create App Integration.
Then, in the configuration form, select OpenId Connect (OIDC) and Web Application as the Application Type.
In the following section, you will set:
App integration name: A name to identify the integration. We suggest you use
Datafold.Grant type: Should be set to
Authorization codeautomatically.Sign-in redirect URI:
- SaaS
- Dedicated cloud installations of Datafold
The redirect URL should behttps://app.datafold.com/oauth/okta/client_id, whereclient_idis the Client ID of the configuration.cautionYou will be given the Client ID after saving the integration and need to come back to update the client ID afterwards.
The redirect URL should behttps://your-dns-name/oauth/okta, replacingyour-dns-namewith the DNS name for your installation.Sign-out redirect URIs: Leave this empty.
Trusted Origins: Leave this empty too.
Assignments: Select
Skip group assignment for now. Later you should assign the correct groups and users.Click "Save" to create the app integration in Okta.
Once the save is successful, on the next screen, you'll be presented with Client ID and Client Secret. We need these IDs to update the redirect URLs that Datafold needs. We'll also apply the Client ID and Client Secret in the Datafold integration later.
- Edit "General settings"
- Scroll down to the Login section
- Update the Sign-in redirect URI. See above for details.
- Click "Save" to persist the changes.
Set Up Okta-initiated login
Organization admins will always be able to log in with either password or Okta. Non-admin users will be required to log in through Okta once configured.
This step is optional and should be done at the discretion of the Okta administrator.
Users in your organization can log in to the application directly from the Okta end-user dashboard. To enable this feature, configure the integration as follows:
- Edit "General settings"
- Set Login initiated by to
Either Okta or App. - Set Application visibility to
Display application icon to users. - Set Login flow to
Redirect to app to initiate login (OIDC Compliant). - Set Initiate login URI:
- SaaS
- Dedicated cloud installations of Datafold
https://app.datafold.com/login/sso/client-id?action=desired_action- Replace
client-idwith the Client ID of the configuration, and - Replace
desired_actionwithsignupif you enabled users auto-creation, orloginotherwise.
https://your-dns-name/login/sso/client-id?action=desired_action- Replace
client-idwith the Client ID of the configuration, and - Replace
desired_actionwithsignupif you enabled users auto-creation, orloginotherwise. - Replace
your-dns-namewith the DNS name for your installation.
- Click "Save" to persist the changes.
The Okta configuration is now complete.
Configure Okta in Datafold
To finish the configuration, create an Okta integration in Datafold.
To complete the integration in Datafold, create a new integration by navigating to Settings → Integrations → SSO → Add new integration → Okta.
Paste in your Okta Client Id and Client Secret.
The Metadata Url of Okta OAuth server is
https://<okta-server-name>/.well-known/openid-configuration, replaceokta-server-namewith the name of your Okta domain.If you'd like to auto-create users in Datafold that are authorized in Okta, enable the Allow Okta to auto-create users in Organization switch.
Finally, click Save.
Users can either be explicitly invited in Datafold by an admin user, using the same email as used in Okta, or they can be auto-created. When the signup action is set in the login URI, authenticated users on Okta who have been assigned as a user
in Okta of the Datafold application will then be able to login. If that user has not yet been invited, Datafold
will then automatically create a user for them, since they're already authenticated by the Okta server of your domain.
The user will then receive an email to confirm their email address.
Synchronize state with Datafold [Optional]
This step is essential if you want to ensure that users from your organization are automatically logged out when they are unassigned or deactivated in Okta.
Navigate to Okta Admin panel → Workflow → Event Hooks
Click Create Event Hook
Set Name to
DatafoldSet URL to
https://app.datafold.com/hooks/oauth/okta/<client-id>Set Authentication field to
secretGo to Datafold and generate a secret token in Settings → Integrations → SSO → Okta. Click the Generate button, copy it by using the Copy button and click Save. Use the pasted code in the Authentication secret field in Okta.
Keep this secret token safe as you won't be able to see after saving your Integration.
In Subscribe to events add events:
User suspended,User deactivated,Deactivate application,User unassigned from appClick Save & Continue
- On Verify Endpoint Ownership click Verify
- If the verification is successful, you have completed the setup.
Testing the Okta integration
- SaaS
- Dedicated cloud installations of Datafold
- Visit https://app.datafold.com
- Type in your email and wait up to five seconds.
- The Okta button should switch from disabled to enabled.
- Click the Okta login button.
- The browser should be redirected to your Okta domain, authenticate the user there and be redirected back to the Datafold application.
- Visit
https://your-dns-name, replacing your-dns-name with the domain name of your installation. - Type in your email and wait up to five seconds.
- The Okta button should switch from disabled to enabled.
- Click the Okta login button.
- The browser should be redirected to your Okta domain, authenticate the user there and be redirected back to the Datafold application.
If this didn't work, pay close attention to any error messages, or contact support@datafold.com.