Lightdash supports multiple SSO providers for secure authentication. This page provides an overview of which providers are available on each plan.Documentation Index
Fetch the complete documentation index at: https://lightdash-mintlify-6ff6a008.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
Setup for Lightdash Cloud vs self-hosted
- Lightdash Cloud
- Self-hosted
If you’re on Lightdash Cloud, you don’t set environment variables yourself. Instead:
- Complete the provider-side setup (e.g., create an OAuth app in Okta, Google, Azure AD, etc.) using the setup guides linked below.
- Securely share the resulting configuration values (client ID, client secret, issuer URL, etc.) with the Lightdash team.
- The Lightdash team will configure SSO on your behalf.
When following the setup guides below, you can skip any steps about setting environment variables — those only apply to self-hosted instances. Focus on the provider-side configuration and note down the values you’ll need to share with Lightdash.
SSO providers by plan
| Provider | Cloud Pro | Enterprise | Self-hosted |
|---|---|---|---|
| Okta | |||
| Azure AD | |||
| OneLogin | |||
| Generic OIDC |
Self-hosted instances can configure any supported SSO provider by setting environment variables directly. See the self-hosted SSO configuration guide for setup instructions. Lightdash Cloud customers should follow the provider-side setup and share the values with the Lightdash team.
Provider details
- Included in: Cloud Pro, Enterprise, Self-hosted
- Setup guide: Google SSO configuration
Disable Google sign-in for your organization
When Google SSO is enabled at the instance level, organization admins can opt out of Google sign-in for their domains — for example, to enforce sign-in through a dedicated identity provider (Okta, Azure AD, etc.) instead. To manage your organization’s Google SSO policy:- Go to Settings → Organization → Authentication.
- In the Google panel, toggle Enable Google sign-in for this organization off to hide the Google login button for users in your domains. Toggle it back on (or select Reset to default) to follow the instance default.
- Optional: expand Advanced to override the org’s allowed email domains for this method, or to control whether email/password sign-in is shown alongside Google.
The opt-out applies only to users who belong to your organization. Users from other organizations on the same Lightdash instance are unaffected.
Okta
OpenID Connect (OIDC) integration with Okta. Supports group synchronization and SCIM provisioning.- Included in: Cloud Pro, Enterprise, Self-hosted
- Features: Group sync, JIT provisioning, custom authorization servers
- Setup guide: Okta SSO configuration
Azure Active Directory
OpenID Connect integration with Microsoft Azure AD. Supports both client secret and private key JWT authentication.- Included in: Enterprise, Self-hosted
- Features: Multiple authentication methods, tenant isolation
- Setup guide: Azure AD configuration
OneLogin
OpenID Connect integration with OneLogin identity platform.- Included in: Enterprise, Self-hosted
- Setup guide: OneLogin configuration
Generic OIDC
Connect any OpenID Connect-compliant identity provider (Keycloak, Auth0, PingIdentity, etc.).- Included in: Enterprise, Self-hosted
- Features: Flexible configuration, supports private_key_jwt authentication
- Setup guide: Generic OIDC configuration
Additional authentication options
Password authentication
Email/password authentication is available on all plans and enabled by default. Organizations using SSO can disable password authentication to enforce SSO-only login.Warehouse SSO (Enterprise only)
Enterprise customers can also configure SSO for data warehouse connections:- Snowflake OAuth - Users authenticate with Snowflake using their corporate identity
- Databricks OAuth - User-to-Machine (U2M) OAuth flow for Databricks