Hosted DoltDB is for running online, production
Dolt databases. We recently received a feature
for SAML integration for a single sign-on (SSO) solution to
hosted.doltdb.com, which is available now!
What is SAML?
Assertion Markup Language) is a standard for exchanging authentication and authorization
data between a Service Provider (SP) - in this case Hosted
Dolt - and an Identity Provider (IdP) - some third-party
provider. A Hosted customer would configure an identity provider for their organization
within the Hosted product, and their users would authenticate and authorize access to that
organization through their configured identity provider.
SAML is a popular enterprise solution due to the improved user experience and increased
security it provides. Users only need to manage one set of credentials for multiple
applications. The service provider no longer needs to store any login credentials for your
users and you can rely instead on more specialized identity providers to provide more
layers of security.
This is what a SAML SSO workflow looks like on Hosted Dolt:
How to set up SSO for your Hosted organization
Setting up SSO for your Hosted organization only takes a few minutes. This example will
use Okta as our third-party identity provider.
1. Create an organization on Hosted
Assuming you already have a Hosted account, you first need to create an
organization. In order to set up SSO, it is
required that your organization has at least one bootstrap admin user at all times that
was not created through the SAML workflow.
2. Set up your third-party IdP
You can follow Okta's guide to building a SSO
integration for more specific setup information, but we will give an overview here.
First, you must create an Okta Developer Edition
Organization. Then, navigate to Applications >
Applications and create a new app integration.
Give your app a name and (optional) logo.
Fill out the SAML settings. You can find this information in the SSO tab of your
organization on Hosted.
If you'd like to add a signature certificate to verify the digital signatures, you can
download the certificate from your Hosted organization's SSO page and upload it in
Once your SAML integration is created it should look something like this:
Download the metadata details from the provided Metadata URL. You'll need this when you
add this identity provider to your Hosted organization.
curl -OL https://dev-99612740.okta.com/app/exkb7ksuh3Jn9h90I5d7/sso/saml/metadata
Then in the Assignments tab, choose some People or Groups to assign to your integration.
These people or groups will have single sign on into your Hosted organization.
Now back to the Hosted website. In the SSO tab of your organization, add the metadata
descriptor you downloaded from your Okta integration and click
You can now share your organization's SSO login url (in this case
https://hosted.doltdb.com/organizations/mycompany/sso) with the people you added to your
Okta integration. They'll also have this link when they log in to their Okta account.
4. Signing in to your organization's login URL
When people from your Okta integration navigate to your organization's Login URL, they'll
be redirected to the Okta SSO URL and prompted to log in (if they aren't already).
After successfully entering their Okta credentials, the Hosted website will check if a
user exists that matches the Name ID from the SAML response from Okta. If a Hosted user
does not already exist, they will be prompted for an email and username.
The user will receive an email to verify their email address and automatically be added as
a member to your organization. In the future when they log in they will be immediately
directed to your organization page.
Differences between SAML-created users and other users
Since users created via an organization's SSO workflow only exist within the context of an
organization, they have a few different permissions and properties.
These organization-specific users cannot:
- Create an organization
- Be added as a member to another organization
- Be added as a collaborator to a deployment outside of their organization
- Create a deployment that does not belong to their organization
- Add billing (for their own user or any organization)
- Be the only owner of an organization
This also means that these users will be deleted under certain circumstances:
- The organization they belong to is deleted
- They are removed as a member from the organization
- The SSO configuration is removed from the organization
Give single sign on for your Hosted Dolt organization a try! We have tested the SSO
workflows for a few identity providers, but please let us know if your chosen identity
provider does not work and we will make sure to get you up and running.
As always, you can reach us on Discord or make a feature
request on GitHub.