Setup for Lightdash Cloud vs self-hosted
- Lightdash Cloud
- Self-hosted
If you’re on Lightdash Cloud, you don’t set environment variables yourself. Instead:
- Complete the provider-side setup (e.g., create an OAuth app in Okta, Google, Azure AD, etc.) using the setup guides linked below.
- Securely share the resulting configuration values (client ID, client secret, issuer URL, etc.) with the Lightdash team.
- The Lightdash team will configure SSO on your behalf.
When following the setup guides below, you can skip any steps about setting environment variables — those only apply to self-hosted instances. Focus on the provider-side configuration and note down the values you’ll need to share with Lightdash.
SSO providers by plan
| Provider | Cloud Pro | Enterprise | Self-hosted |
|---|---|---|---|
| Okta | |||
| Azure AD | |||
| OneLogin | |||
| Generic OIDC |
Self-hosted instances can configure any supported SSO provider by setting environment variables directly. See the self-hosted SSO configuration guide for setup instructions. Lightdash Cloud customers should follow the provider-side setup and share the values with the Lightdash team.
Provider details
- Included in: Cloud Pro, Enterprise, Self-hosted
- Setup guide: Google SSO configuration
Okta
OpenID Connect (OIDC) integration with Okta. Supports group synchronization and SCIM provisioning.- Included in: Cloud Pro, Enterprise, Self-hosted
- Features: Group sync, JIT provisioning, custom authorization servers
- Setup guide: Okta SSO configuration
Azure Active Directory
OpenID Connect integration with Microsoft Azure AD. Supports both client secret and private key JWT authentication.- Included in: Enterprise, Self-hosted
- Features: Multiple authentication methods, tenant isolation
- Setup guide: Azure AD configuration
OneLogin
OpenID Connect integration with OneLogin identity platform.- Included in: Enterprise, Self-hosted
- Setup guide: OneLogin configuration
Generic OIDC
Connect any OpenID Connect-compliant identity provider (Keycloak, Auth0, PingIdentity, etc.).- Included in: Enterprise, Self-hosted
- Features: Flexible configuration, supports private_key_jwt authentication
- Setup guide: Generic OIDC configuration
Additional authentication options
Password authentication
Email/password authentication is available on all plans and enabled by default. Organizations using SSO can disable password authentication to enforce SSO-only login.Warehouse SSO (Enterprise only)
Enterprise customers can also configure SSO for data warehouse connections:- Snowflake OAuth - Users authenticate with Snowflake using their corporate identity
- Databricks OAuth - User-to-Machine (U2M) OAuth flow for Databricks