Skip to main content

Set up SSO with Okta

Enterprise Feature

This guide describes a feature of the dbt Cloud Enterprise plan. If you’re interested in learning more about an Enterprise plan, contact us at

Okta SSO

dbt Cloud Enterprise supports single-sign on via Okta (using SAML). Currently supported features include:

  • IdP-initiated SSO
  • SP-initiated SSO
  • Just-in-time provisioning

This guide outlines the setup process for authenticating to dbt Cloud with Okta. If you have any questions during the setup process, please contact support ( for assistance.

Configuration in Okta

Create a new application

Note: You'll need administrator access to your Okta organization to follow this guide.

First, log into your Okta account. Using the Admin dashboard, create a new app.

Create a new appCreate a new app

On the following screen, select the following configurations:

  • Platform: Web
  • Sign on method: SAML 2.0

Click Create to continue the setup process.

Configure a new appConfigure a new app

Configure the Okta application

On the General Settings page, enter the following details::

  • App name: dbt Cloud
  • App logo (optional): You can optionally download the dbt logo, and upload it to Okta to use as the logo for this app.

Click Next to continue.

Configure the app's General SettingsConfigure the app's General Settings

Configure SAML Settings

The SAML Settings page configures how Okta and dbt Cloud communicate. You will want to use an appropriate Access URL for your region and plan. If you aren't sure which values you should use, please contact support (

To complete this section, you will need a login slug. This slug controls the URL where users on your account can log into your application via Okta. Login slugs are typically the lowercased name of your organization separated with dashes. For example, the login slug for dbt Labs would be dbt-labs. Login slugs must be unique across all dbt Cloud accounts, so pick a slug that uniquely identifies your company.

On the SAML Settings page, enter the following values, replacing YOUR_ACCESS_URL with the appropriate Access URL for your region and plan:

  • Single sign on URL: https://YOUR_ACCESS_URL/complete/okta
  • Audience URI (SP Entity ID): https://YOUR_ACCESS_URL/
  • Relay State: <login slug>
Configure the app's SAML SettingsConfigure the app's SAML Settings

Use the Attribute Statements and Group Attribute Statements forms to map your organization's Okta User and Group Attributes to the format that dbt Cloud expects.

Expected User Attribute Statements:

NameName formatValueDescription
emailUnspecified${}The user's email address
first_nameUnspecified${user.firstName}The user's first name
last_nameUnspecified${user.lastName}The user's last name

Expected Group Attribute Statements:

NameName formatFilterValueDescription
groupsUnspecifiedMatches regex.*The groups that the user belongs to

Note: You may use a more restrictive Group Attribute Statement than the example shown above. For example, if all of your dbt Cloud groups start with DBT_CLOUD_, you may use a filter like Starts With: DBT_CLOUD_. Okta only returns 100 groups for each user, so if your users belong to more than 100 IdP groups, you will need to use a more restrictive filter. Please contact support if you have any questions.

Configure the app's User and Group Attribute StatementsConfigure the app's User and Group Attribute Statements

Click Next to continue.

Finish Okta setup

Select I'm an Okta customer adding an internal app, and select This is an internal app that we have created. Click Finish to finish setting up the app.

Finishing setup in OktaFinishing setup in Okta

View setup instructions

On the next page, click View Setup Instructions. In the steps below, you'll supply these values in your dbt Cloud Account Settings to complete the integration between Okta and dbt Cloud.

Viewing the configured applicationViewing the configured applicationApplication setup instructionsApplication setup instructions

Configuration in dbt Cloud

Configuration in dbt Cloud

To complete setup, follow the steps below in dbt Cloud.

Enable Okta native auth (beta)

If you access dbt Cloud using virtual private cloud (VPC), enable the native_okta feature flag in the dbt Cloud admin backend.

Supplying credentials

First, navigate to the Enterprise > Single Sign On page under Account Settings. Next, click the Edit button and supply the following SSO details:

Login Slugs

The slug configured here should have the same value as the Okta RelayState configured in the steps above.

Log in withOkta
Identity Provider SSO UrlPaste the Identity Provider Single Sign-On URL shown in the Okta setup instructions
Identity Provider IssuerPaste the Identity Provider Issuer shown in the Okta setup instructions
X.509 CertificatePaste the X.509 Certificate shown in the Okta setup instructions
SlugEnter your desired login slug. Users will be able to log into dbt Cloud by navigating to https://YOUR_ACCESS_URL/enterprise-login/LOGIN_SLUG, replacing YOUR_ACCESS_URL with the appropriate Access URL for your region and plan. Login slugs must be unique across all dbt Cloud accounts, so pick a slug that uniquely identifies your company.
Configuring the application in dbt CloudConfiguring the application in dbt Cloud
  1. Click Save to complete setup for the Okta integration. From here, you can navigate to the URL generated for your account's slug to test logging in with Okta. Additionally, users added the the Okta app will be able to log in to dbt Cloud from Okta directly.
Logging in

Users can now log into the dbt Cloud by navigating to the following URL, replacing LOGIN_SLUG with the value used in the previous steps and YOUR_ACCESS_URL with the appropriate Access URL for your region and plan:


Setting up RBAC

Now you have completed setting up SSO with Okta, the next steps will be to set up RBAC groups to complete your access control configuration.