Single Sign-On for your organizations on Hosted Dolt

3 min read

Hosted DoltDB is for running online, production Dolt databases. We recently received a feature request for SAML integration for a single sign-on (SSO) solution to, which is available now!

What is SAML?

SAML (Security Assertion Markup Language) is a standard for exchanging authentication and authorization data between a Service Provider (SP) - in this case Hosted Dolt - and an Identity Provider (IdP) - some third-party provider. A Hosted customer would configure an identity provider for their organization within the Hosted product, and their users would authenticate and authorize access to that organization through their configured identity provider.

SAML is a popular enterprise solution due to the improved user experience and increased security it provides. Users only need to manage one set of credentials for multiple applications. The service provider no longer needs to store any login credentials for your users and you can rely instead on more specialized identity providers to provide more layers of security.

This is what a SAML SSO workflow looks like on Hosted Dolt:

SAML workflow

How to set up SSO for your Hosted organization

Setting up SSO for your Hosted organization only takes a few minutes. This example will use Okta as our third-party identity provider.

1. Create an organization on Hosted

Assuming you already have a Hosted account, you first need to create an organization. In order to set up SSO, it is required that your organization has at least one bootstrap admin user at all times that was not created through the SAML workflow.

Create organization

2. Set up your third-party IdP

You can follow Okta's guide to building a SSO integration for more specific setup information, but we will give an overview here.

First, you must create an Okta Developer Edition Organization. Then, navigate to Applications > Applications and create a new app integration.

Okta new app integration

Give your app a name and (optional) logo.

Okta create SAML integration general settings

Fill out the SAML settings. You can find this information in the SSO tab of your organization on Hosted.

Okta create SAML integration configure SAML

If you'd like to add a signature certificate to verify the digital signatures, you can download the certificate from your Hosted organization's SSO page and upload it in Advanced Settings.

Okta create SAML integration advanced settings

Once your SAML integration is created it should look something like this:

Okta SAML integration

Download the metadata details from the provided Metadata URL. You'll need this when you add this identity provider to your Hosted organization.

curl -OL

Then in the Assignments tab, choose some People or Groups to assign to your integration. These people or groups will have single sign on into your Hosted organization.

Okta assign people

3. Set up Hosted with the metadata from your IdP

Now back to the Hosted website. In the SSO tab of your organization, add the metadata descriptor you downloaded from your Okta integration and click Configure.

Create SAML provider form

You can now share your organization's SSO login url (in this case with the people you added to your Okta integration. They'll also have this link when they log in to their Okta account.

Okta My Apps

4. Signing in to your organization's login URL

When people from your Okta integration navigate to your organization's Login URL, they'll be redirected to the Okta SSO URL and prompted to log in (if they aren't already).

Okta SSO login

After successfully entering their Okta credentials, the Hosted website will check if a user exists that matches the Name ID from the SAML response from Okta. If a Hosted user does not already exist, they will be prompted for an email and username.

Create SAML account

The user will receive an email to verify their email address and automatically be added as a member to your organization. In the future when they log in they will be immediately directed to your organization page.

Differences between SAML-created users and other users

Since users created via an organization's SSO workflow only exist within the context of an organization, they have a few different permissions and properties.

These organization-specific users cannot:

  • Create an organization
  • Be added as a member to another organization
  • Be added as a collaborator to a deployment outside of their organization
  • Create a deployment that does not belong to their organization
  • Add billing (for their own user or any organization)
  • Be the only owner of an organization

This also means that these users will be deleted under certain circumstances:

  • The organization they belong to is deleted
  • They are removed as a member from the organization
  • The SSO configuration is removed from the organization


Give single sign on for your Hosted Dolt organization a try! We have tested the SSO workflows for a few identity providers, but please let us know if your chosen identity provider does not work and we will make sure to get you up and running.

As always, you can reach us on Discord or make a feature request on GitHub.



Get started with Dolt

Or join our mailing list to get product updates.