SSO providers by plan
| Provider | Cloud Pro | Enterprise | Self-hosted |
|---|---|---|---|
| Okta | |||
| Azure AD | |||
| OneLogin | |||
| Generic OIDC |
Self-hosted instances can configure any supported SSO provider. See the self-hosted SSO configuration guide for setup instructions.
Provider details
- Included in: Cloud Pro, Enterprise, Self-hosted
- Setup guide: Google SSO configuration
Okta
OpenID Connect (OIDC) integration with Okta. Supports group synchronization and SCIM provisioning.- Included in: Enterprise, Self-hosted
- Features: Group sync, JIT provisioning, custom authorization servers
- Setup guide: Okta SSO configuration
Azure Active Directory
OpenID Connect integration with Microsoft Azure AD. Supports both client secret and private key JWT authentication.- Included in: Enterprise, Self-hosted
- Features: Multiple authentication methods, tenant isolation
- Setup guide: Azure AD configuration
OneLogin
OpenID Connect integration with OneLogin identity platform.- Included in: Enterprise, Self-hosted
- Setup guide: OneLogin configuration
Generic OIDC
Connect any OpenID Connect-compliant identity provider (Keycloak, Auth0, PingIdentity, etc.).- Included in: Enterprise, Self-hosted
- Features: Flexible configuration, supports private_key_jwt authentication
- Setup guide: Generic OIDC configuration
Additional authentication options
Password authentication
Email/password authentication is available on all plans and enabled by default. Organizations using SSO can disable password authentication to enforce SSO-only login.Warehouse SSO (Enterprise only)
Enterprise customers can also configure SSO for data warehouse connections:- Snowflake OAuth - Users authenticate with Snowflake using their corporate identity
- Databricks OAuth - User-to-Machine (U2M) OAuth flow for Databricks