SSO & SAML
Configure enterprise single sign-on using SAML 2.0.
Supported Providers
- Okta
- Azure Active Directory
- Google Workspace
- OneLogin
- PingIdentity
- Custom SAML IdP
Setup Steps
1. Configure Your IdP
Add LH42 as a SAML application in your IdP:
| Setting | Value |
|---|---|
| ACS URL | https://app.lakehouse42.com/auth/saml/callback |
| Entity ID | https://app.lakehouse42.com |
| Name ID | Email address |
2. Configure LH42
Go to Settings > Security > SSO:
- Upload IdP metadata XML, or enter manually:
- IdP SSO URL
- IdP Entity ID
- X.509 Certificate
- Configure attribute mapping:
- email → User email
- firstName → First name
- lastName → Last name
- groups → Role assignment (optional)
3. Test Connection
Click "Test SSO" to verify configuration.
Okta Setup
- Add new SAML app in Okta Admin
- Use SAML 2.0 settings
- Configure attribute statements:
email → user.email
firstName → user.firstName
lastName → user.lastName- Download metadata XML
- Upload to LH42
Azure AD Setup
- Register new Enterprise Application
- Set up SAML single sign-on
- Configure Basic SAML settings with LH42 values
- Copy Federation Metadata URL
- Enter in LH42 SSO settings
Enforcing SSO
Once configured, enforce SSO for all users:
python
client.settings.update({
"sso_required": True,
"allowed_email_domains": ["yourcompany.com"]
})Troubleshooting
"Invalid signature": Ensure certificate is correctly formatted
"User not found": Check email attribute mapping
"Access denied": Verify user is assigned to the app in IdP