Learn how to configure a custom Identity Provider integration with Firebolt.
A custom Identity Provider (IdP) allows you to use your organization’s existing authentication system for secure access to Firebolt using Single Sign-On (SSO). By configuring a custom IdP, you ensure that your team can securely and efficiently access Firebolt resources using familiar credentials.
To integrate a custom IdP with Firebolt’s platform, you need to configure your IdP for Firebolt and Firebolt’s SSO for your custom IdP. Detailed instructions can be found in the following sections:
In order to set up a SAML 2.0 compliant service or application as your Identity Provider (IdP) for Single Sign-On (SSO) with Firebolt, follow these steps:
Define a custom SHA-256
In the service/application interface, define a custom SHA-256 application specifically for Firebolt. Follow the service or application’s instructions to create this custom application.
Create Users in the Service/Application
For each end-user that needs access to Firebolt:
Obtain required values for IdP setup
To properly configure your IdP, you’ll need to configure the Audience URI and ACS (Assertion Consumer Service) URL, which are crucial for successful SSO authentication. If not configured properly, authentication will fail.
The Audience URI ensures that authentication requests are directed to the correct Firebolt tenant, and has the following format:
urn:auth0:app-firebolt-v2:<org_name>-<provider_name>
.
The ACS URL is where the IdP sends authentication responses after login, and has the following format:
https://id.app.firebolt.io/login/callback?connection=<org_name>-<provider_name>&organization=<organization_identifier>
.
In the previous example formats, the following apply:
<org_name>
: The organizational name used to create your Firebolt account, as seen in your vanity URL.<provider>
: The provider being configured as your IdP<organization_identifier>
: A unique identifier for your organization. To retrieve this value, navigate to Configure > SSO in the Firebolt UI and select Copy organization SSO identifier.For example, if your organization name is acmeorg and the provider name is custom, the values for Audience URI and ACS URL should be as follows:
urn:auth0:app-firebolt-v2:acmeorg-custom
https://id.app.firebolt.io/login/callback?connection=acmeorg-custom&organization=<organization_identifier>
The Audience URI (also known as Audience Restriction) defines the intended recipient of the SAML (Security Assertion Markup Language) Assertion. Depending on the vendor, this might also be referred to as the Entity ID.
Obtain SSO URL and Certificate
Retrieve the following from your custom IdP:
With all required information, you are now ready to integrate your Identity Provider with Firebolt.
Once your Identity Provider(IdP) is configured, you can now configure Firebolt to integrate with your IdP. This can be done using either the Firebolt UI, or using SQL.
To configure the Firebolt SSO integration using the UI, Navigate to Configure > SSO in Firebolt.
Enter the following information:
Sign-on URL: The URL provided by your SAML identity provider where Firebolt sends SAML requests. This URL is IdP-specific and is determined during the identity provider’s configuration.
Example (for Okta): https://okta_account_name.okta.com/app/okta_firebolt_app_id/sso/saml
Issuer: A unique value generated by the SAML identity provider, identifying the issuer.
Provider: The name of your identity provider, such as JumpCloud. If you are using a SAML 2.0-compliant service or application as your IdP, select the Custom label.
Label: The text displayed on the SSO login button. If left blank, the value from the Provider field will be used.
Certificate: The certificate used to verify communication between the identity provider and Firebolt. It must be in PEM or CER format. You can upload it using the Import certificate button or paste it directly into the provided text box.
Sign-out URL: The URL provided by the application owner to redirect users when they sign out.
Field mapping: Mapping to your identity provider’s first and last name in key-value pairs. If additional fields are required, choose Add another key-value pair. Mapping is required for Firebolt to fill in the login’s given and last names the first time the user logs in using SSO. If this field remains empty when a login that represents the user is being created (read more in the log in using SSO section), the login’s first and last name fields will contain “NA”. Those fields can be updated later by running the ALTER LOGIN command.
Here’s an example of how to set up Field mapping:
In this example:
given_name
(first name) is mapped to the name
field from the IdP.family_name
(last name) is mapped to the surname
field from the IdP.Select Update changes.
To create your SSO connection in Firebolt, you can use the following SQL as an example:
Make sure that the certificate value is provided as one string, without any line breaks or control characters such as \r\n
.
During Login
New Users:
If a login with your email doesn’t already exist, Firebolt will create one based on the email, first name, and last name provided in the SAML assertion from the IdP.
The new login will be SSO-only, with the IS_PASSWORD_ENABLED
property set to False
.
Existing Users:
If the login already exists and Field Mapping is set:
SSO settings can be edited in two ways - using SQL or the UI. To edit SSO settings using SQL, use the ALTER ORGANIZATION statement. For example:
To edit SSO settings using the UI, see Configure Firebolt to integrate with IdP using the UI.
To disable SSO login, you can delete the SSO settings using either SQL or the UI. To modify SSO settings using SQL, use the following command:
To modify SSO settings using the UI:
Select Configure to open the Configure Space, then choose SSO.
Select Clear SSO configuration.
Select Update changes.
After the SSO configuration is deleted:
is_sso_provisioned=true
will automatically be updated to sso_provisioned=false
.