Single Sign-On Using Okta

Follow our guide to set up single sign-on (SSO) into Fivetran using the Fivetran Okta gallery application.

Prerequisites

To set up Okta SSO with Fivetran, you need an Okta SuperAdmin or AppAdmin account and a Fivetran account with the Account Administrator Account role.

In Okta

Add and configure the Fivetran application

1. Log in to your Okta Admin Console and go to Applications - Applications.

2. Click Browse App Catalog.

   

3. Enter Fivetran in the search box.

4. Select the Fivetran application.

5. Click Add.

6. In the General Settings tab of the Add Fivetran page, leave the pre-configured settings unchanged and click Next.

   

7. In the Sign-On Options tab on the Add Fivetran page, leave the pre-configured settings unchanged and click Done.

   

8. In the Assignments tab on the Fivetran app page, assign the Fivetran app to the users with a Fivetran account.

   NOTE: Fivetran supports Just-In-Time (JIT) user provisioning. If you assign users without a Fivetran account, Fivetran will create new accounts for them with the read-only access. You will need to grant the newly created users the relevant role with the corresponding permissions.

   

Get Sign on URL, Issuer and Public certificate

To complete setup in Fivetran, you need the Sign on URL, Issuer and Public certificate. Follow these steps to get them:

1. In the Sign On tab on the Fivetran app page, click View Setup Instructions.

   

2. Make a note of the Sign on URL, Issuer, and Public certificate values. You will need them to configure Fivetran.

   NOTE: Your public certificate should not include leading and trailing labels such as -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. Copy only the value between these labels.

   TIP: When configuring Single Sign-On with Okta in Fivetran, log in to your Okta account and go the Fivetran app page to be able to copy-paste the values.

In Fivetran

NOTE: By default, Fivetran allows Just-In-Time (JIT) user provisioning. If you don't have a Fivetran user for the specified OneLogin user, the Fivetran user will be created automatically with the read-only access. To grant the newly created user the relevant role with the corresponding permissions, log in as a Fivetran user with the Users: Manage permission and manage the user's roles and permissions on the Users tab of the Users & Permissions page.

1. In Fivetran, click Account Settings > General.

2. On the Account Settings tab, under Authentication Settings, switch the Enable SAML authentication toggle to ON.

3. Under SAML Config, in the Sign on URL, Issuer and Public certificate fields, enter the values you found in Step 2.

4. Fill the Application identifier (Entity ID) field with the value Fivetran.

   

5. Click Save Config. You'll see the message Account settings successfully saved.

Testing SSO (Optional)

IMPORTANT: If you assigned the Fivetran app to a user who doesn't have a corresponding Fivetran user, you need to grant them write access after they have been automatically provisioned in your Fivetran account.

To test SSO, follow these steps:

1. In Okta, log in to the Okta End-User Dashboard as the user you have granted access to.
2. Click Fivetran. You will be redirected to your Fivetran dashboard.

Restrict login to SSO

Follow the steps below to restrict logins to SSO only:

1. Log in to the Fivetran dashboard.
2. In the bottom left menu, click Account Settings > General.
3. Go to the Account Settings tab.
4. In the Authentication Settings section, set the Required authentication type to SAML or Google OAuth.

NOTE: When the Required authentication type is set to None, users can log in either with SSO or with their email and password.