SSO (SAML 2.0)
OneAnalytics supports SAML 2.0 for single sign-on with any SAML IdP (Okta, Azure AD / Entra ID, Google Workspace, OneLogin, JumpCloud, custom). Attribute-based RLS, just-in-time provisioning, and SCIM 2.0 for user lifecycle all work on top.
Service Provider metadata
From Settings → SSO → SAML, copy:
- Entity ID (Audience):
https://api.analytics.rstglobal.in/saml/sp/<tenant_id> - ACS URL:
https://api.analytics.rstglobal.in/saml/acs/<tenant_id> - SLO URL:
https://api.analytics.rstglobal.in/saml/slo/<tenant_id> - NameID format:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Our SP metadata XML is downloadable from the same page.
Required attributes
The IdP must release these attributes in the SAML response:
| Attribute name | Example | Used for |
|---|---|---|
email | ada@example.com | User identifier |
first_name | Ada | Profile |
last_name | Lovelace | Profile |
groups | ["finance", "editors"] | Team membership |
region (optional) | North | RLS attribute |
Any additional attribute is stored under user.attributes.<name> and is available to RLS predicates.
Provider walkthroughs
Okta: apps → Create App → SAML 2.0 → paste our ACS + Entity ID, map the five attributes above to Okta's standard profile fields, download the IdP metadata, upload to OneAnalytics.
Azure AD / Entra ID: Enterprise Applications → New → Non-gallery → SAML SSO → paste ACS + Entity ID → Attributes & Claims → add email, first_name, last_name, groups (with group display name, not ObjectID) → download the federation metadata XML, upload to OneAnalytics.
Google Workspace: Admin console → Apps → Web & Mobile Apps → Add → Custom SAML → paste ACS + Entity ID → Attributes → map primaryEmail → email, etc. → download IdP metadata.
Just-in-time (JIT) provisioning
Default on. A user who logs in via SAML without an existing account gets one created automatically, with role Viewer and membership in any team whose name matches a group in the assertion.
Disable in Settings → SSO → JIT if you want manual approval.
Lifecycle via SCIM
SSO handles authentication but not offboarding — if you disable a user in Okta, they stay in OneAnalytics until their session expires. For real lifecycle, enable SCIM.
Testing
Settings → SSO → Test mints a dummy SAML response and runs it through our validator; useful for debugging without round-tripping the IdP.
Enforcement
Once SAML is configured and tested, enable Enforce SSO to block email/password login. Emergency-break-glass password for the single configured break-glass user is always preserved.