Enable SSO in the admin panel

Streamline your login process with Single Sign-On (SSO), which enables users to log in once using a single set of credentials. With SSO, you can conveniently access all corporate applications, websites, and authorized data. Make the most of your Baserow experience by simplifying authentication and securely accessing your resources.

Learn how to integrate SSO to seamlessly authenticate across various applications and systems without the need to remember multiple usernames and passwords.

Overview

Instance Admins can set up Single sign-on (SSO) with Identity Providers (IdP) for their teams’ logins to Baserow.

Single Sign-On feature is a part of the Baserow Enterprise offering. Instance-wide features are only available on the self-hosted Enterprise plan. To learn more about the Baserow enterprise plan, visit our pricing page.

Only Instance admins on a self-hosted Baserow server with the Enterprise plan can access the SSO admin page. Instance Admins have staff access to the entire self-hosted instance.

Add providers for SSO SAML

Baserow uses SAML (Security Assertion Markup Language) to simplify and secure the authentication process so users only need to log in once with a single set of authentication credentials.

1. From your Baserow dashboard, go to Admin → Authentication in the navigation sidebar on the left. Under the authentication configuration section, click the “Add Provider” button.

2. Select “SSO SAML Provider” from the dropdown menu. Clicking this will open up a configuration window:

3. When the “Add a new SSO SAML provider” modal is opened, you can see the Default Relay State URL and the Single Sign On URL needed to configure a SAML application. You’ll need this value later, so make a note of them.

4. Next, retrieve your third-party SSO metadata and domain from your SSO identity provider, following the instructions for each in this guide:

   • Configure OneLogin for SAML SSO
   • Configure Okta for SAML SSO
   • Configure Azure AD for SAML SSO

5. Paste the XML metadata in the authentication popup. You’ll end up with something like this:

6. Save the new provider. Click ‘Create’ to allow the SSO login configuration to occur.

After the provider has been correctly created, you should see it listed in the provider’s list.

OAuth provider configuration

Baserow supports a variety of OAuth 2 providers like Google, Facebook, GitLab, GitHub, and any providers that support OpenID Connect protocol.

1. From your Baserow dashboard, go to Admin → Authentication. Under the authentication configuration section, click the “Add Provider” button.

2. Select a provider from the dropdown menu. Clicking this will open up a configuration window:

3. When the modal is opened, you can see the Callback URL needed to configure the provider. You’ll need this value later, so make a note of it.

4. Next, retrieve your Client ID and Secret from the provider, following the instructions for each in this guide:

   • Configure SSO with Google as the Identity Provider
   • Configure SSO with Facebook as the Identity Provider
   • Configure SSO with GitHub as the Identity Provider
   • Configure SSO with GitLab as the Identity Provider
   • Configure SSO with OpenID Connect

   To configure OpenID Connect, you will also need to retrieve your Custom provider name and Base URL from the provider.

5. After retrieving your organization’s third-party SSO details, you will need to enter the provider’s Client ID and Secret that you receive from the IdP in the fields in Baserow.

   • Fill in the Provider’s name. This name will be displayed to your Baserow users on the login screen.
   • Fill in the Client ID and Secret that you obtained from the provider.
   • To configure OpenID Connect, also fill in the Provider’s Base URL. Also, you can optionally set a custom GitLab URL in case you are self-hosting GitLab.

6. Save the new provider. Click ‘Create’ to allow the SSO login configuration to occur.

After the provider has been correctly created, you should see it listed in the provider’s list.

Edit or delete an identity provider

On your authentication page in the admin section, you can edit, delete or disable an authentication provider.

Any IdP, including Email and Password authentication, can be disabled/enabled, but at least one provider needs to be enabled. To disable or enable an authentication provider, use the toggle beside the provider.

If authentication with Email and Password is disabled, at least one authentication provider must always be enabled. It is not possible to delete or disable the last enabled provider.

To edit or delete an authentication provider, click the ellipsis icon beside the provider and select Edit or Delete:

Related content

• Single Sign On (SSO) overview.
• Baserow Enterprise plan.
• Email and password authentication.

---

Still need help? If you’re looking for something else, please feel free to make recommendations or ask us questions—we’re ready to assist you.

   Ask the Baserow community

   Contact support for questions about Baserow or help with your account.