Single sign-on with SAML¶
The availability of this feature depends on the license of the Opendatasoft domain.
Registering your SAML identity provider on your domain¶
Step 1: Allow access for SAML users¶
Enable SAML so that authentication for your portal users can be delegated to your own identity service.
From the back office, go to Configuration > Signup.
Toggle on Allow access for SAML users.
A list of configuration settings appears:
Step 2: Configure SAML settings¶
Paste your identity provider metadata document into the Identity provider (idp) metadata document field.
If you want to disable local user creation, making sure only existing users can connect to the platform through SAML, toggle on Disable local user provisioning.
Enter the set of attributes sent by the identity provider that uniquely define a user in the corresponding field:
For example, if your users are defined by the
LastNameattributes transmitted by your identity provider, enter
FirstNamein the field and click +. Then, enter
LastNamein the field that appears and click +.
If the users are defined by their
NameIDformat used by your identity provider is not transient, leave the field empty.
Enter the attribute mappings for the username, last name, first name, and email address in the corresponding fields. In this step, you need to declare the field names as they are sent by the identity provider:
For example, if your identity provider transmits the connected user's first name in an attribute called
GivenNamein the First name field.
If your identity provider doesn't transmit all of these elements, leave the corresponding fields blank. The platform will automatically generate them based on other available attributes.
Enter an access condition:
In the Attribute to match for the condition field, enter the name of the attribute to check for.
In the Value that must be present field, enter the value for this attribute. If you want to check for the presence of an attribute without value restriction, leave this field blank.
For example, if your identity provider sends a list of
Rolesfor the users and you want only users with a role to be able to connect to the domain, enter
Rolesin the Attribute to match for the condition field. If you only want users with the
DataAccessrole to be able to connect to the domain, enter
DataAccessin the Value that must be present field.
If you leave both fields blank, no condition is set. Any successful login on the identity provider side will trigger a login on your Opendatasoft domain.
Enter the URL on which the user can edit their user profile on the identity provider in the URL for SAML user account configuration field.
When set, a link to this URL will be shown to the user on their user account page.
If left blank, no URL will be shown to the user on their account page.
Enter a custom EntityID for the Service Provider.
If left blank, the URL of the Service Provider metadata document will be used as the EntityID.
If your identity provider doesn't support EntityIDs in URL format, you can set any EntityID here.
Customize the SAML login link text. If left blank, a localized default message will be displayed.
Registering your domain on your identity provider¶
The configuration of the identity provider is implementation-dependant, but it always consists of importing the service provider metadata document to enable an identity federation.
You can download the metadata document for your Opendatasoft domain on
The Opendatasoft platform supports the standard SAML Single Logout flow using the HTTP-Redirect binding:
If supported by the identity provider, a log out from a SAML-connected user will trigger a log out from the identity provider.
Log out requests from the identity provider will trigger a log out of the user on the platform.