Single Sign-On
Single sign-on (SSO) is a session and user authentication tool that lets you securely access multiple applications and services using one set of credentials. We use SAML authentication to configure SSO. See our SAML configuration documentation section to learn how to configure SSO with SAML in Fivetran.
Supported identity providers
We officially support the following identity providers:
- Microsoft Entra ID (formerly Azure Active Directory) / Setup Guide
- Google Workspace / Setup Guide
- Okta / Setup Guide
- OneLogin / Setup Guide
- PingOne / Setup Guide
- RSA SecureID / Setup Guide
You can set up Fivetran from these identity providers' app catalogs (except Google Workspace and PingOne). If you have multiple Fivetran accounts with the same login email, you must log in to Fivetran with your username and password, even if SSO is enabled on all accounts. You can access these accounts in SAML from the applications shown on your SAML provider's homepage.
If you would like us to offer official support for any other identity provider, let us know and we will evaluate your request.
If you would like to try using a SAML 2.0 compliant identity provider that we don’t support, you can attempt it with these settings:
- ACS:
https://fivetran.com/login/saml/return - NameID: must be user's email
- Required custom attributes:
- FirstName - user's first name
- LastName - user's last name
- Required signing option: Sign SAML assertion
- Application's Entity ID: the identifier used as the audience for the SAML response. If you have multiple Fivetran accounts, each one needs its own application Entity ID.
This method is not fully supported and may not work with an identity provider that does not support our requirements. If you run into issues we would be happy to evaluate adding official support for your identity provider.
Sample SAML 2.0 response
Below is a template SAML 2.0 response that shows every element our service provider endpoint expects. Replace all ALL-CAPS placeholders with real values from your identity provider.
<!-- POST to https://fivetran.com/login/saml/return -->
<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_RESP_ID_123456789"
Version="2.0"
IssueInstant="2026-01-07T12:34:56Z"
Destination="https://fivetran.com/login/saml/return"
InResponseTo="_SP_REQUEST_ID_987654321">
<saml:Issuer>https://IDP.EXAMPLE.COM/</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="_ASSERT_ID_ABCDE" IssueInstant="2026-01-07T12:34:56Z" Version="2.0">
<saml:Issuer>https://IDP.EXAMPLE.COM/</saml:Issuer>
<!-- Signature must cover the <saml:Assertion> element -->
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<!-- SignedInfo / SignatureValue / KeyInfo go here; algorithm RSA-SHA256 -->
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
USER.EMAIL@EXAMPLE.COM
</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
InResponseTo="_SP_REQUEST_ID_987654321"
NotOnOrAfter="2026-01-07T12:39:56Z"
Recipient="https://fivetran.com/login/saml/return"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2026-01-07T12:29:56Z"
NotOnOrAfter="2026-01-07T13:34:56Z">
<saml:AudienceRestriction>
<saml:Audience>FIVETRAN_ACCOUNT_ENTITY_ID</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2026-01-07T12:34:30Z" SessionIndex="_SESSION_24680">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="FirstName">
<saml:AttributeValue>GIVEN_NAME</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="LastName">
<saml:AttributeValue>SURNAME</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
Field mapping checklist
| Field | Value |
|---|---|
NameID | Must be the user's email address — this is how we identify the user |
Audience | Must match the Application Identifier (Entity ID) you entered in the SAML configuration; each account needs its own unique value |
Destination and Recipient | Must be https://fivetran.com/login/saml/return |
FirstName and LastName attributes | Required; no other attributes are needed |
Requirements
- Signature: must use RSA-SHA256 and cover the entire
-----BEGIN CERTIFICATE-----markers. - Binding: the IdP must POST the response to the ACS URL. HTTP-Redirect is not supported.