Follow our guide to set up single sign-on (SSO) into Fivetran using the Fivetran PingOne catalog application.
Prerequisiteslink
To set up PingOne SSO with Fivetran, you need:
- a PingOne Administrator account
- a Fivetran Account Administrator account
In PingOnelink
Add and configure the Fivetran applicationlink
-
Log in to your PingOne account and select the environment you want to connect to Fivetran.
-
Go to Connections > Applications.
-
On the Applications page, click +.
-
Select WEB APP.
-
In the Choose Connection Type pop-up, in the SAML section, click Configure.
-
On the Create App Profile page, enter the name (we recommend “Fivetran”).
-
(Optional) Enter the description and upload an icon file for the Fivetran app.
-
Click Next.
-
On the Configure SAML Connection page, select Manually Enter.
-
In the ACS URLS field, enter “https://fivetran.com/login/saml/return”.
-
In the ENTITY ID field, enter “Fivetran”.
-
In the ASSERTION VALIDITY DURATION IN SECONDS field, enter “60”.
-
Click Save and Continue.
Map attributeslink
-
On the Attribute Mapping page, go the SAML ATTRIBUTES section. In the saml_subject field, enter “Email Address”.
-
Click + ADD ATTRIBUTE.
-
Enter “FirstName” in the left field and “Given Name” in the right field.
-
Click + ADD ATTRIBUTE.
-
Enter “LastName” in the left field and “Family Name” in the right field.
-
Click Save and Close. The Fivetran app is created.
-
Use the toggle in the top-right corner of the page to enable user access to the Fivetran app.
Add user detailslink
-
Go to Identities > Users.
-
Click + Add User.
-
In the Add User popup, enter the GIVEN NAME and FAMILY NAME of the user you want to add to the Fivetran app.
-
In the CONTACT section, enter the EMAIL ADDRESS of the user you want to add to the Fivetran app.
-
Scroll-down to the COMPANY INFORMATION section. In the USERNAME field, enter the email address of the user you want to add to the Fivetran app .
-
Click Save.
-
On the Users page, click the down-arrow icon to expand the added user’s details, and then click Reset Password.
-
Enter a one-time password in the input field. You will need to replace it with a permanent password when you log in for the first time.
-
Click Save.
Add group detailslink
-
Go to Identities > Groups.
-
Click +.
-
Specify the Group Name. We recommend “Fivetran”.
-
Click Save.
-
On the Fivetran group page, go to the Users tab.
-
Click + Add Users Individually.
-
Click + to add the Fivetran user to the group.
-
Click Save.
Provide accesslink
-
Go to Connections > Applications.
-
Click the Fivetran app.
-
Go to the Access tab.
-
Click the pencil icon.
-
Click + to give the Fivetran group access to the Fivetran app.
-
Click Save.
NOTE: Fivetran supports Just-In-Time (JIT) user provisioning. If you assign the app to users who don’t have a Fivetran account, Fivetran will create new accounts for them with the read-only access. You will need to grant the newly created users the relevant role with the corresponding permissions.
Get Sign on URL, Issuer, and Public certificatelink
To complete setup in Fivetran, you need the following credentials:
- Sign on URL
- Issuer
- Public certificate
To find these credentials, do the following:
-
In the PingOne Admin console, open the Fivetran app page and go to the Configuration tab.
-
Click Download Signing Certificate and select X509 PEM (.crt) format.
-
Open the downloaded certificate in a text editor and copy the certificate, which is the string between the
-----BEGIN CERTIFICATE-----
and-----END CERTIFICATE-----
statements. You must enter it in the Public certificate field in Fivetran. -
Copy the Issuer ID. Make a note of it. You must enter it in the Issuer field in Fivetran.
-
Copy the Single Signon Service. Make a note of it. You must enter it in the Sign on URL field in Fivetran.
TIP: When configuring Single Sign-On with PingOne in Fivetran, log in to your PingOne account and go the Fivetran app page to be able to copy-paste the values.
In Fivetranlink
NOTE: By default, Fivetran allows Just-In-Time (JIT) user provisioning. If you don’t have a Fivetran user for the specified OneLogin user, the Fivetran user will be created automatically with the read-only access. To grant the newly created user the relevant role with the corresponding permissions, log in as a Fivetran user with the Users: Manage permission and manage the user’s roles and permissions on the Users tab of the Account Management page.
-
Go to the account management page in your Fivetran dashboard.
-
Go to the Settings tab.
-
Toggle the Enable SAML authentication selector to ON.
-
Fill the Sign on URL, Issuer, and Public certificate fields with the Single Signon Service, Issuer ID, and Download Signing Certificate values you found in Step 6, respectively.
-
Click Save Config at the bottom of the settings page. You’ll see an Account settings successfully saved message.
Testing SSO (Optional)link
IMPORTANT: If you assigned the Fivetran app to a user who doesn’t have a corresponding Fivetran user, you need to grant them write access after they have been automatically provisioned in your Fivetran account.
To test SSO, follow these steps:
-
In the PingOne Admin console, open the Fivetran app page. Go to the Configuration tab and copy the Initiate Single Sign-On URL. You will need it to log in to Fivetran using SAML SSO.
-
In a browser, paste the Initiate Single Sign-On URL to the address bar.
-
Enter the USERNAME you created in Step 3.
-
Enter your PASSWORD. Specify either of the following:
- the one-time password you created in Step 3 if you test SSO for the first time
- the permanent password you created when logging in using SSO for the first time
-
Click Sign On.
-
If you are testing SSO login for the first time, in the Current Password field, specify the one-time password you created in Step 3.
-
If you are testing SSO login for the first time, in the New Password and Verify New Password, specify a new permanent password.
-
If you are testing SSO login for the first time, click Save.
You will be redirected to your Fivetran dashboard.