> ## Documentation Index
> Fetch the complete documentation index at: https://lightdash-mintlify-ca973f84.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# SSO providers

> Overview of supported Single Sign-On providers across Lightdash plans

Lightdash supports multiple SSO providers for secure authentication. This page provides an overview of which providers are available on each plan.

## Setup for Lightdash Cloud vs self-hosted

<Tabs>
  <Tab title="Lightdash Cloud">
    If you're on **Lightdash Cloud**, you don't set environment variables yourself. Instead:

    1. Complete the provider-side setup (e.g., create an OAuth app in Okta, Google, Azure AD, etc.) using the setup guides linked below.
    2. Securely share the resulting configuration values (client ID, client secret, issuer URL, etc.) with the Lightdash team.
    3. The Lightdash team will configure SSO on your behalf.

    <Note>
      When following the setup guides below, you can skip any steps about setting environment variables — those only apply to self-hosted instances. Focus on the provider-side configuration and note down the values you'll need to share with Lightdash.
    </Note>
  </Tab>

  <Tab title="Self-hosted">
    If you're **self-hosting** Lightdash, you configure SSO by setting environment variables directly in your deployment. Follow the [self-hosted SSO configuration guide](/self-host/customize-deployment/use-sso-login-for-self-hosted-lightdash) for full instructions.
  </Tab>
</Tabs>

## SSO providers by plan

| Provider     |       Cloud Pro       |       Enterprise      |      Self-hosted      |
| :----------- | :-------------------: | :-------------------: | :-------------------: |
| Google       | <Icon icon="check" /> | <Icon icon="check" /> | <Icon icon="check" /> |
| Okta         | <Icon icon="check" /> | <Icon icon="check" /> | <Icon icon="check" /> |
| Azure AD     |                       | <Icon icon="check" /> | <Icon icon="check" /> |
| OneLogin     |                       | <Icon icon="check" /> | <Icon icon="check" /> |
| Generic OIDC |                       | <Icon icon="check" /> | <Icon icon="check" /> |

<Note>
  Self-hosted instances can configure any supported SSO provider by setting environment variables directly. See the [self-hosted SSO configuration guide](/self-host/customize-deployment/use-sso-login-for-self-hosted-lightdash) for setup instructions. Lightdash Cloud customers should follow the provider-side setup and share the values with the Lightdash team.
</Note>

## Provider details

### Google

OAuth 2.0-based authentication using Google accounts. Ideal for organizations using Google Workspace.

* **Included in**: Cloud Pro, Enterprise, Self-hosted
* **Setup guide**: [Google SSO configuration](/self-host/customize-deployment/use-sso-login-for-self-hosted-lightdash#google)

### Okta

OpenID Connect (OIDC) integration with Okta. Supports group synchronization and SCIM provisioning.

* **Included in**: Cloud Pro, Enterprise, Self-hosted
* **Features**: Group sync, JIT provisioning, custom authorization servers
* **Setup guide**: [Okta SSO configuration](/self-host/customize-deployment/use-sso-login-for-self-hosted-lightdash#okta)

### Azure Active Directory

OpenID Connect integration with Microsoft Azure AD. Supports both client secret and private key JWT authentication.

* **Included in**: Enterprise, Self-hosted
* **Features**: Multiple authentication methods, tenant isolation
* **Setup guide**: [Azure AD configuration](/self-host/customize-deployment/use-sso-login-for-self-hosted-lightdash#azure-active-directory)

### OneLogin

OpenID Connect integration with OneLogin identity platform.

* **Included in**: Enterprise, Self-hosted
* **Setup guide**: [OneLogin configuration](/self-host/customize-deployment/use-sso-login-for-self-hosted-lightdash#one-login)

### Generic OIDC

Connect any OpenID Connect-compliant identity provider (Keycloak, Auth0, PingIdentity, etc.).

* **Included in**: Enterprise, Self-hosted
* **Features**: Flexible configuration, supports private\_key\_jwt authentication
* **Setup guide**: [Generic OIDC configuration](/self-host/customize-deployment/use-sso-login-for-self-hosted-lightdash#openid-connect)

## Additional authentication options

### Password authentication

Email/password authentication is available on all plans and enabled by default. Organizations using SSO can disable password authentication to enforce SSO-only login.

### Warehouse SSO (Enterprise only)

Enterprise customers can also configure SSO for data warehouse connections:

* **Snowflake OAuth** - Users authenticate with Snowflake using their corporate identity
* **Databricks OAuth** - User-to-Machine (U2M) OAuth flow for Databricks

These create per-user warehouse credentials rather than shared project credentials.

## Related resources

* [Self-hosted SSO configuration](/self-host/customize-deployment/use-sso-login-for-self-hosted-lightdash)
* [SCIM integration](/references/workspace/scim-integration)
* [Groups and access control](/references/workspace/groups)
