Setup for Lightdash Cloud vs self-hosted
- Lightdash Cloud
- Self-hosted
If youβre on Lightdash Cloud, organization admins configure SSO directly from Organization settings β Single Sign-On β no environment variables, and no need to involve the Lightdash team. See Configure SSO for the full self-serve setup.
When following the provider setup guides below, you can skip any steps about setting environment variables β those only apply to self-hosted instances. Focus on the provider-side configuration (creating the OAuth app, redirect URIs, etc.), then enter the resulting values in Organization settings β Single Sign-On.
SSO providers by plan
| Provider | Cloud Pro | Enterprise | Self-hosted |
|---|---|---|---|
| Okta | |||
| Azure AD | |||
| OneLogin | |||
| Generic OIDC |
Self-hosted instances can configure any supported SSO provider by setting environment variables directly. See the self-hosted SSO configuration guide for setup instructions. Lightdash Cloud customers configure SSO from Organization settings β Single Sign-On β see Configure SSO.
URL requirements for organization-managed SSO
When an organization admin saves a per-organization SSO configuration, Lightdash validates that any provider URL it has to fetch resolves to a publichttps:// address. This protects against server-side request forgery (SSRF) since the URL is requested by the Lightdash backend during issuer discovery.
The following fields are validated at save time:
| Provider | Validated field | What gets checked |
|---|---|---|
| Okta | oktaDomain | The domain is used to build https://<oktaDomain> β it must resolve to a public host. |
| Generic OIDC | metadataDocumentEndpoint | The OIDC discovery document URL must use https:// and resolve to a public host. |
localhost, loopback addresses, private networks, or other internal/non-routable addresses are rejected with a ParameterError. Azure AD is not affected because its endpoints are templated from the tenant ID.
This check runs only when configuration is saved through the API or admin UI. Existing stored configurations and environment-variable-based self-hosted configurations are not re-validated.
Provider details
- Included in: Cloud Pro, Enterprise, Self-hosted
- Setup guide: Google SSO configuration
Okta
OpenID Connect (OIDC) integration with Okta. Supports group synchronization and SCIM provisioning.- Included in: Cloud Pro, Enterprise, Self-hosted
- Features: Group sync, JIT provisioning, custom authorization servers
- Setup guide: Okta SSO configuration
Azure Active Directory
OpenID Connect integration with Microsoft Azure AD. Supports both client secret and private key JWT authentication.- Included in: Enterprise, Self-hosted
- Features: Multiple authentication methods, tenant isolation
- Setup guide: Azure AD configuration
OneLogin
OpenID Connect integration with OneLogin identity platform.- Included in: Enterprise, Self-hosted
- Setup guide: OneLogin configuration
Generic OIDC
Connect any OpenID Connect-compliant identity provider (Keycloak, Auth0, PingIdentity, etc.).- Included in: Enterprise, Self-hosted
- Features: Flexible configuration, supports private_key_jwt authentication
- Setup guide: Generic OIDC configuration
Additional authentication options
Password authentication
Email/password authentication is available on all plans and enabled by default. Organizations using SSO can disable password authentication to enforce SSO-only login.Warehouse SSO (Enterprise only)
Enterprise customers can also configure SSO for data warehouse connections:- Snowflake OAuth - Users authenticate with Snowflake using their corporate identity
- Databricks OAuth - User-to-Machine (U2M) OAuth flow for Databricks