Skip to main content

Migrating to Auth0 for SSO

dbt Labs is partnering with Auth0 to bring enhanced features to dbt Cloud's single sign-on (SSO) capabilities. Auth0 is an identity and access management (IAM) platform with advanced security features, and it will be leveraged by dbt Cloud. These changes will require some action from customers with SSO configured in dbt Cloud today, and this guide will outline the necessary changes for each environment.

If you have not yet configured SSO in dbt Cloud, refer instead to our setup guides for SAML, Okta, Google Workspace, or Microsoft Entra ID (formerly Azure AD) single sign-on services.

Start the migration

The Auth0 migration feature is being rolled out incrementally to customers who have SSO features already enabled. When the migration option has been enabled on your account, you will see SSO Updates Available on the right side of the menu bar, near the settings icon.

SSO migration availableSSO migration available

Alternatively, you can start the process from the Settings page in the Single Sign-on pane. Click the Begin Migration button to start.

Begin MigrationBegin Migration

Once you have opted to begin the migration process, the following steps will vary depending on the configured identity provider. You can just skip to the section that's right for your environment. These steps only apply to customers going through the migration; new setups will use the existing setup instructions.

Login {slug}

Slugs should contain only letters, numbers, and dashes. Make sure to remove underscores (if they exist) from login slugs:

  • before migrating on the Account Settings page, or
  • while migrating (before enabling), as shown in the Migrate authentication screenshots for your respective setup. After changing the slug, admins must share the new login URL with their dbt Cloud users.

SAML 2.0 and Okta

SAML 2.0 users must update a few fields in the SSO app configuration to match the new Auth0 URL and URI. You can approach this by editing the existing SSO app settings or creating a new one to accommodate the Auth0 settings. One approach isn't inherently better, so you can choose whichever works best for your organization.

The fields that will be updated are:

  • Single sign-on URL — https://<YOUR_AUTH0_URI>/login/callback?connection={slug}
  • Audience URI (SP Entity ID) — urn:auth0:<YOUR_AUTH0_ENTITYID>:{slug}

Below are sample steps to update. You must complete all of them to ensure uninterrupted access to dbt Cloud and you should coordinate with your identity provider admin when making these changes.

  1. Replace {slug} with your organization’s login slug. It must be unique across all dbt Cloud instances and is usually something like your company name separated by dashes (for example, dbt-labs).

Here is an example of an updated SAML 2.0 setup in Okta.

Okta configuration with new URLOkta configuration with new URL
  1. Save the configuration, and your SAML settings will look something like this:
New Okta configuration completedNew Okta configuration completed
  1. Toggle the Enable new SSO authentication option to ensure the traffic is routed correctly. The new SSO migration action is final and cannot be undone
Enable new SSO for SAML/OktaEnable new SSO for SAML/Okta
  1. Save the settings and test the new configuration using the SSO login URL provided on the settings page.

Google Workspace

Google Workspace admins updating their SSO APIs with the Auth0 URL won't have to do much if it is an existing setup. This can be done as a new project or by editing an existing SSO setup. No additional scopes are needed since this is migrating from an existing setup. All scopes were defined during the initial configuration.

Below are steps to update. You must complete all of them to ensure uninterrupted access to dbt Cloud and you should coordinate with your identity provider admin when making these changes.

  1. Open the Google Cloud console and select the project with your dbt Cloud single sign-on settings. From the project page Quick Access, select APIs and Services
Google Cloud ConsoleGoogle Cloud Console
  1. Click Credentials from the left side pane and click the appropriate name from OAuth 2.0 Client IDs
Select the OAuth 2.0 Client IDSelect the OAuth 2.0 Client ID
  1. In the Client ID for Web application window, find the Authorized Redirect URIs field and click Add URI and enter https://<YOUR_AUTH0_URI>/login/callback.

Click Save once you are done.

Add Redirect URIAdd Redirect URI
  1. You will need a person with Google Workspace admin privileges to complete these steps in dbt Cloud. In dbt Cloud, navigate to the Account Settings, click on Single Sign-on, and then click Edit on the right side of the SSO pane. Toggle the Enable New SSO Authentication option and select Save. This will trigger an authorization window from Google that will require admin credentials. The migration action is final and cannot be undone. Once the authentication has gone through, test the new configuration using the SSO login URL provided on the settings page.
Domain authorization

You must complete the domain authorization before you toggle Enable New SSO Authentication, or the migration will not complete successfully.

Enable new SSO for Google WorkspaceEnable new SSO for Google Workspace

Microsoft Entra ID

Microsoft Entra ID admins will need to make a slight adjustment to the existing authentication app in the Azure portal. This migration does not require that the entire app be deleted or recreated; you can edit the existing app. Start by opening the Azure portal and navigating to the Microsoft Entra ID overview.

Below are steps to update. You must complete all of them to ensure uninterrupted access to dbt Cloud and you should coordinate with your identity provider admin when making these changes.

  1. Click App Registrations on the left side menu.
Select App RegistrationsSelect App Registrations
  1. Select the proper dbt Cloud app (name may vary) from the list. From the app overview, click on the hyperlink next to Redirect URI
Click the Redirect URI hyperlinkClick the Redirect URI hyperlink
  1. In the Web pane with Redirect URIs, click Add URI and enter the appropriate https://<YOUR_AUTH0_URI>/login/callback. Save the settings and verify it is counted in the updated app overview.
Enter new redirect URIEnter new redirect URI
  1. Navigate to the dbt Cloud environment and open the Account Settings. Click the Single Sign-on option from the left side menu and click the Edit option from the right side of the SSO pane. The domain field is the domain your organization uses to login to Microsoft Entra ID. Toggle the Enable New SSO Authentication option and Save. Once this option is enabled, it cannot be undone.
Domain authorization

You must complete the domain authorization before you toggle Enable New SSO Authentication, or the migration will not complete successfully.

Enable new SSOEnable new SSO
0