Single Sign-On Using PingOne

Follow our guide to set up single sign-on (SSO) into Fivetran using the Fivetran PingOne catalog application.

IMPORTANT: Fivetran also supports Ping Federate (SSO).

Prerequisites

To set up PingOne SSO with Fivetran, you need:

• A PingOne Administrator account
• A Fivetran Account Administrator account

In PingOne

Add and configure the Fivetran application

1. Log in to your PingOne account and select the environment you want to connect to Fivetran.

2. Go to Connections > Applications.

   

3. On the Applications page, click +.

4. In the App Application pop-up, enter the Application name (we recommend "Fivetran").

5. (Optional) Enter the description and upload an icon file for the Fivetran app.

   

6. Under the Choose Application Type section, choose SAML Application, then click Configure.

   

7. In the SAML Configuration step, select Manually Enter.

8. In the ACS URLs field, enter https://fivetran.com/login/saml/return.

9. In the Entity ID field, enter "Fivetran". Make a note of it.

   

10. Click Save.

11. On the App details page, go to the Configuration tab, then click the Edit icon.

    

12. Make sure the Sign Assertion option is selected.

    

13. From the SUBJECT NAMEID FORMAT drop-down menu, select urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

14. In the ASSERTION VALIDITY DURATION (IN SECONDS) field, enter "60".

    

15. Click Save.

Map attributes

1. On the App details, go the Attribute Mappings, then click Edit.

2. Beside the saml_subject field, choose Email Address from the drop-down menu.

3. Click +Add.

   

4. Enter "FirstName" in the left field and select Given Name in the right menu.

5. Click +Add.

6. Enter "LastName" in the left field and select Family Name in the right menu.

7. Click Save. The Fivetran app is created.

8. Use the toggle in the top-right corner of the page to enable user access to the Fivetran app.

   

Add user details

1. Go to Identities > Users.

2. Click + Add User.

   

3. In the Add User popup, enter the GIVEN NAME and FAMILY NAME of the user you want to add to the Fivetran app.

   

4. In the CONTACT section, enter the EMAIL ADDRESS of the user you want to add to the Fivetran app.

   

5. Scroll down to the COMPANY INFORMATION section. In the USERNAME field, enter the email address of the user you want to add to the Fivetran app .

   

6. Click Save.

7. On the Users page, click the down-arrow icon to expand the added user's details, then click Reset Password.

   

8. Enter a one-time password in the input field. You will need to replace it with a permanent password when you log in for the first time.

9. Click Save.

Add group details

1. Go to Identities > Groups.

2. Click +.

   

3. Specify the Group Name. We recommend "Fivetran".

   

4. Click Save.

5. On the Fivetran group page, go to the Users tab.

   

6. Click + Add Users Individually.

7. Click + to add the Fivetran user to the group.

   

8. Click Save.

Provide access

2. Go to Connections > Applications.

3. Click the Fivetran app.

4. Go to the Access tab.

5. Click the pencil icon.

   

6. Click + to give the Fivetran group access to the Fivetran app.

   

7. Click Save.

NOTE: Fivetran supports Just-In-Time (JIT) user provisioning. If you assign the app to users who don't have a Fivetran account, Fivetran will create new accounts for them with the read-only access. You will need to grant the newly created users the relevant role with the corresponding permissions.

Get Sign on URL, Issuer, Public certificate, and Application Identifier

To complete the setup in Fivetran, you need the following credentials:

• Sign on URL
• Issuer
• Public certificate
• Application Identifier

To find these credentials, do the following:

1. In the PingOne Admin console, open the Fivetran app page and go to the Configuration tab.

   

2. Click Download Signing Certificate and select the X509 PEM (.crt) format.

3. Open the downloaded certificate in a text editor and copy the certificate, which is the string between the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- statements. You must enter it in the Public certificate field in Fivetran.

4. Copy the Issuer ID and make a note of it. You must enter it in the Issuer field in Fivetran.

5. Copy the Single Signon Service and make a note of it. You must enter it in the Sign on URL field in Fivetran.

6. Copy the Entity ID and make a note of it. You must enter it in the Application identifier (Entity ID) field in Fivetran.

   

   TIP: When configuring Single Sign-On with PingOne in Fivetran, log in to your PingOne account and go the Fivetran app page to be able to copy-paste the values.

In Fivetran

NOTE: By default, Fivetran allows Just-In-Time (JIT) user provisioning. If you don't have a Fivetran user for the specified OneLogin user, the Fivetran user will be created automatically with the read-only access. To grant the newly created user the relevant role with the corresponding permissions, log in as a Fivetran user with the Users: Manage permission and manage the user's roles and permissions on the Users tab of the Users & Permissions page.

1. In Fivetran, click Account Settings > General.

2. On the Account Settings tab, under Authentication Settings, switch the Enable SAML authentication toggle to ON.

3. Under SAML Config, in the Sign on URL, Issuer, Public certificate, and Application Identifier (Entity ID) fields, enter Single Signon Service, Issuer ID, Download Signing Certificate and Entity ID values you found in Step 6, respectively.

   

4. Click Save Config. You'll see the message Account settings successfully saved.

Testing SSO (Optional)

IMPORTANT: If you assigned the Fivetran app to a user who doesn't have a corresponding Fivetran user, you need to grant them write access after they have been automatically provisioned in your Fivetran account.

To test SSO, follow these steps:

1. In the PingOne Admin console, open the Fivetran app page. Go to the Configuration tab and copy the Initiate Single Sign-On URL. You will need it to log in to Fivetran using SAML SSO.

   

2. In a browser, paste the Initiate Single Sign-On URL to the address bar.

3. Enter the USERNAME you created in Step 3.

4. Enter your PASSWORD. Specify either of the following:

   • the one-time password you created in Step 3 if you test SSO for the first time
   • the permanent password you created when logging in using SSO for the first time

5. Click Sign On.

6. If you are testing SSO login for the first time, in the Current Password field, specify the one-time password you created in Step 3.

7. If you are testing SSO login for the first time, in the New Password and Verify New Password, specify a new permanent password.

8. If you are testing SSO login for the first time, click Save.

You will be redirected to your Fivetran dashboard.

Restrict login to SSO

Follow the steps below to restrict logins to SSO only:

1. Log in to the Fivetran dashboard.
2. In the bottom left menu, click Account Settings > General.
3. Go to the Account Settings tab.
4. In the Authentication Settings section, set the Required authentication type to SAML or Google OAuth.

NOTE: When the Required authentication type is set to None, users can log in either with SSO or with their email and password.