Single Sign-On Using Microsoft Entra ID

Follow our guide to set up single sign-on (SSO) into Fivetran using the Fivetran Microsoft Entra ID (formerly Azure Active Directory) gallery application.

Prerequisites

To use Microsoft Entra ID SSO with Fivetran, you need Azure and Fivetran accounts.

In Azure

Add and configure the Fivetran application

1. Log in to your Azure account and go to the Microsoft Entra ID service.

   

2. In the left menu, select Enterprise Applications.

   

3. Click New Application.

   

4. Enter Fivetran in the search box.

5. Select the Fivetran application.

6. Click Create.

   

7. In the Getting Started section, select Set up single sign on.

   

8. Under Select a single sign-on method, select SAML.

   

9. In the Save single sign-on modal, click No, I'll save later.

   

10. In the Basic SAML Configuration box, click Edit.

    

11. Click Save. The settings are pre-configured.

    

12. Click Edit in the Attributes & Claims section.

    

13. Click + Add new claim.

    

14. Manage the claim:

    i. Enter FirstName in the Name field.

    ii. Select user.givenname as the Source attribute.

    iii. Click Save.

    iv. Close the Manage claim window.

    

15. Add another claim:

    i. Click + Add new claim.

    ii. Enter a LastName in the Name field.

    iii. Select user.surname as the Source attribute.

    iv. Click Save.

    v. Close the Manage claim window.

16. In the Test single sign-on with Fivetran modal, click No, I'll test later.

17. In the left menu, go to Users and groups.

    

18. Click Add user.

    

19. Click on the Users list item and add the users to whom you want to grant access to Fivetran. Then, click Assign.

    

Get Sign on URL, Issuer, Public certificate, and Application identifier

To complete setup in Fivetran, you need the Sign on URL, Issuer, Public certificate, and Application identifier. Follow these steps to get them:

1. Return to the Single sign-on page of your Fivetran application in Microsoft Entra ID.

   

2. Make a note of the Identifier (Entity ID). This is Application identifier (Entity ID) in Fivetran.

3. Make a note of the Login URL. This is Sign on URL in Fivetran.

4. Make a note of the Microsoft Entra ID Identifier. This is the Issuer in Fivetran.

5. To get the Public certificate, download the Federation Metadata XML file.

   

6. Open the downloaded Federation Metadata XML file in any text editor. The certificate is a string inside the X509Certificate XML tag. Make a note of it. You will enter it in the Public certificate field in Fivetran.

   

In Fivetran

NOTE: By default, Fivetran allows Just-In-Time (JIT) user provisioning. If you don't have a Fivetran user for the specified Microsoft Entra ID user, the Fivetran user will be created automatically with the read-only access. To grant the newly created user the relevant role with the corresponding permissions, log in as a Fivetran user with the Users: Manage permission and manage the user's roles and permissions on the Users tab of the Users & Permissions page.

1. In Fivetran, click Account Settings > General.

2. On the Account Settings tab, under Authentication Settings, switch the Enable SAML authentication toggle to ON.

3. Under SAML Config, in the Sign on URL, Issuer, Public certificate, and Application identifier (Entity Id) fields, enter the values you found in Step 2.

   

4. Click Save Config. You'll see the message Account settings successfully saved.

Testing SSO (Optional)

To test SSO, follow these steps:

1. Go to https://myapps.microsoft.com.
2. Log in to the account you have granted access to.
3. Click the Fivetran button. You will be redirected to your Fivetran dashboard.

Restrict login to SSO

Follow the steps below to restrict logins to SSO only:

1. Log in to the Fivetran dashboard.
2. In the bottom left menu, click Account Settings > General.
3. Go to the Account Settings tab.
4. In the Authentication Settings section, set the Required authentication type to SAML or Google OAuth.

NOTE: When the Required authentication type is set to None, users can log in either with SSO or with their email and password.