Skip to main content
Lightdash supports multiple SSO providers for secure authentication. This page provides an overview of which providers are available on each plan.

SSO providers by plan

ProviderCloud ProEnterpriseSelf-hosted
Google
Okta
Azure AD
OneLogin
Generic OIDC
Self-hosted instances can configure any supported SSO provider. See the self-hosted SSO configuration guide for setup instructions.

Provider details

Google

OAuth 2.0-based authentication using Google accounts. Ideal for organizations using Google Workspace.

Okta

OpenID Connect (OIDC) integration with Okta. Supports group synchronization and SCIM provisioning.
  • Included in: Enterprise, Self-hosted
  • Features: Group sync, JIT provisioning, custom authorization servers
  • Setup guide: Okta SSO configuration

Azure Active Directory

OpenID Connect integration with Microsoft Azure AD. Supports both client secret and private key JWT authentication.
  • Included in: Enterprise, Self-hosted
  • Features: Multiple authentication methods, tenant isolation
  • Setup guide: Azure AD configuration

OneLogin

OpenID Connect integration with OneLogin identity platform.

Generic OIDC

Connect any OpenID Connect-compliant identity provider (Keycloak, Auth0, PingIdentity, etc.).
  • Included in: Enterprise, Self-hosted
  • Features: Flexible configuration, supports private_key_jwt authentication
  • Setup guide: Generic OIDC configuration

Additional authentication options

Password authentication

Email/password authentication is available on all plans and enabled by default. Organizations using SSO can disable password authentication to enforce SSO-only login.

Warehouse SSO (Enterprise only)

Enterprise customers can also configure SSO for data warehouse connections:
  • Snowflake OAuth - Users authenticate with Snowflake using their corporate identity
  • Databricks OAuth - User-to-Machine (U2M) OAuth flow for Databricks
These create per-user warehouse credentials rather than shared project credentials.