Guest Post: Set Up Fivetran SSO With Azure AD in 10 Minutes
This is a guest post by Randy Pitcher, regional technical expert at Hashmap. Before joining Hashmap , he worked in analytics and developer roles at ExxonMobil.
One of the best parts of using an Identity Provider (IdP) like Azure Active Directory is the ability to centralize your user management and access control.
For applications that are Microsoft-native, this management is seamless. For non-Microsoft services, the management can be a pain. Many organizations decide to simply deal with additional sets of username and password combinations or avoid new tools entirely.
Thanks to Microsoft’s hyper-flexible SAML support in Azure Active Directory, you don’t have to choose between modern, strategic solutions and corporate compliance.
In this post, we’re creating a custom SAML connection with Fivetran, the leading fully-managed cloud ELT solution. You should be able to use the general steps in this post to help you add SSO functionality with Azure AD to any modern service that supports SAML-based authentication.
If this is your first exposure to Fivetran, I encourage you to explore the business case for a managed ETL/ELT service. Unless building ELT pipelines is your core business, you should strongly consider offloading this expensive and brittle work to focus on solving business problems instead of reinventing the wheel. Put your skills, time, and money into places that will drive competitive advantage (understanding the modern analytics stack will help with this).
Before we get started, you should have the following:
- Fivetran account (get one here for free if you don’t have one)
- An Azure instance (sign up here for free) with an Active Directory Premium subscription
Also, I found the following articles to be useful for configuring AD as a SAML provider for Fivetran. I’d suggest pulling them up if you get stuck or want more context.
- Fivetran SSO documentation
- Azure AD Custom Enterprise Applications Guide
- Azure AD SAML Configuration Guide
Creating the Enterprise Application in Azure AD
First, we’ll need to create the Enterprise Application in Azure AD.
Sign in to your Azure Portal and go to your Active Directory service:
Go to Enterprise Applications and select Add New Application. This will bring you to the new application menu.
Select Non-Gallery Application, enter Fivetran as the application name, and select Add.
With this new application, we can now set up SAML SSO.
Go to Single Sign-on and select SAML as the SSO method.
Next, edit the Basic SAML Configuration.
In the Identifier (Entity ID)field, enter Fivetran.
In the Reply URL field, enter https://fivetran.com/login/saml/return
Lastly, we need to add 2 custom fields to the User Attributes & Claims section. Fivetran expects to find a FirstName and LastName from the SAML provider.
Select the edit icon on the User Attributes & Claims section in the SAML SSO Set Up.
Select Add New Claims
Enter FirstName as the claim name and user.givenname as the claim source attribute.
Save this, then hit Add New Claims again and enter LastName as the claim name and user.surname as the claim source attribute.
Your Enterprise Application is now fully configured. Now is a good time to go to the Users and Groups section of your application and add yourself and anyone else in your organization that you want to have access to Fivetran.
Enabling SSO in Fivetran
Now, we’ll need to gather 3 values from our Azure AD Enterprise Application that we set up in the previous section. We’ll need:
- the sign-on URL
- the issuer URL
- the x509 certificate string (this isn’t as scary as it sounds)
As we gather each value, paste those in the SSO section of your Fivetran Account Settings page.
Go to your Enterprise Application in Azure AD, go to your Single Sign-on configuration (where we created the SAML integration), and copy the Login URL value in section 4.
Paste this value into the Sign on URL section in your Fivetran SAML settings.
On the same SAML configuration page in Azure for your Enterprise Application, copy the Azure AD Identifier value in section 4. This value is directly below the Login URL from before.
Paste this Azure AD Identifier value into the Issuer section in your Fivetran SAML settings.
x509 Certificate String
For this, you’ll download an XML file from your Enterprise Application, open it with any text editor, and copy a chunk of the file.
First, in the same SAML configuration page in Azure that we’ve been using, download your Federation Metadata XML from section 3.
Open the XML file in a text editor and copy the contents of the X509Certificate tag. It should look something like this (I’ve changed values to avoid sharing my certification string)
The file is not well-formatted when you download it, so don’t be surprised if it’s a little messier than what you see here. The important part is to copy the portion in between the
<X509Certificate> and </X509Certificate>
tags –see how I’ve highlighted it.
Paste this X509Certificate value into the Issuer section in your Fivetran SAML settings and hit save!
Validating the SSO
The last step is to validate the SSO connection. The easiest way is to ensure you’ve added your self as a user to your Azure AD Enterprise Application that we created and follow the user link to log in to Fivetran.
In the Properties section of your Azure AD Enterprise Application, copy the User Access URL
Paste that URL into a new tab in your browser and enjoy your new SSO capability! If you have any issues, feel free to comment below and we’ll try to help you out.
Doublecheck that you’ve pasted your Fivetran SAML values correctly and that you’ve properly added yourself and teammates to the Enterprise Application in the Users and Groups section.
Now that you’ve created a custom SAML connection between Fivetran and Azure AD, check out and start using the Fivetran data source connector directory — it’s expansive with over 120 connectors today and more being added all the time. It’s now up to you to take a modern approach to analytics and start delivering value quicker!