DataGalaxy Portfolio supports integration with OAuth2/OIDC Identity Providers (IdP), enabling the replacement of password-based authentication.
We strongly recommend enabling SSO for all users, as it provides a more secure and centralized way to manage access.
SSO Configuration
To enable SSO with your Identity Provider (IdP), the following steps and information are required.
1. Register a Client in Your IdP
Create a new OAuth2/OIDC client with the following callback URL (adapted to your DataGalaxy Portfolio tenant): https://<tenant name>.yooi.io/auth/sso/callback
2. Provide the Following to DataGalaxy Portfolio Support
-
Authorized email domains: Users with these domains will be allowed to log in via this IdP.
-
Autoprovisioning option:
-
enabled: Authorized users not yet present in DataGalaxy Portfolio are automatically created upon their first login. No administrative action is required to onboard new users in DataGalaxy Portfolio as long as their are authorized by the IdP. -
disabled: Authorized users must be pre-provisioned in DataGalaxy Portfolio by an administrator; otherwise, they will not be able to log in.
-
-
Identity provider type: Entra (Azure), Okta or Other.
3. Identity Provider Details
Depending on the provider:
-
For Entra (Azure):
-
Tenant ID
-
Client ID
-
Client secret
-
-
For Okta:
-
Issuer URL, eg
https://<okta tenant name>.okta.com -
Client ID
-
Client secret
-
-
For Other:
-
Either :
-
The OIDC Discovery
.well-knownendpoint URL. -
Or, the following details:
-
Issuer
-
Authorization endpoint URL
-
Token endpoint URL
-
User info endpoint URL (if needed)
-
Jwks URL
-
-
-
Client ID
-
Client secret
-
SSO Usage rules and best practices
Mandatory SSO for authorized domains
All users with an email address belonging to an authorized domain must log in via SSO, they cannot authenticate using email/password.
Autoprovisioning behavior
In case autoprovisioning is enabled, the SSO user accounts creation is automatically done, there is no administration task needed.
In case autoprovisoning is disabled, there are many strategies to create accounts:
-
Accounts can be created in Admin > Authorization > + Create a new user
-
List of accounts emails can be provisioned through Admin > Authorization > Provision SSO users.
-
Integrations can also created accounts that are referenced in external data sources.
Test accounts
We strongly recommend not creating test accounts using email addresses outside of authorized domains. These external emails will require password-based authentication instead of using Single Sign-On (SSO), which may disrupt standard workflows.
DataGalaxy Portfolio offers two secure methods for creating test accounts while preserving SSO functionality. These options must be activated by the DataGalaxy Portfolio support team.
Individual Account Aliases
An account alias uses the same base email address with a unique identifier added before the @ symbol. The format is:
<base-email>+<alias>@domain.com
Example:
Main email: john.doe@example.net
Valid alias: john.doe+test@example.net
How it works:
-
A separate account must be created using the alias email address (e.g.,
john.doe+test@example.net). -
When logging in, select Continue with your email (do not use Login with SSO) and enter the alias email address,
john.doe+test@example.netfor a read-only session, orrw#john.doe+test@example.netfor a read-and-write session. -
DataGalaxy Portfolio will authenticate via SSO using the main email (
john.doe@example.net) and match it to the alias account.
Behavior:
-
Alias accounts function like any other account and can have different permissions and roles.
-
⚠️ Email notifications and automation messages will be sent to the main mailbox (
john.doe@example.net), provided the email provider supports aliasing. Otherwise, emails may not be delivered.
Shared Impersonated Accounts
This option allows multiple users to access a test account using their existing credentials via SSO. This configuration must be performed by DataGalaxy Portfolio support. Please provide:
-
The alias email address to be used for the test account. This email address must not exist in the SSO directory.
-
A list of account email addresses authorized to impersonate the shared test account.
How it works
-
Authorized users log in by selecting Continue with your email (not Login with SSO) and entering the email address of the shared impersonated account, prefixed with
rw#for a read-and-write session, or without the prefix for a read-only session. -
DataGalaxy Portfolio will authenticate each user via SSO using the user’s main account and grant access to the shared impersonated account.