You finally get everyone using Metabase, dashboards humming, queries flying—and then someone says, “Wait, do we have SSO set up?” The room goes quiet. This is where Metabase SAML saves your weekend.
Metabase is the open-source BI tool that makes data visible and decisions faster. SAML, or Security Assertion Markup Language, is the trusted protocol behind single sign-on for Okta, Azure AD, AWS IAM Identity Center, and others. Together they let analysts, engineers, and managers log in with the same credentials they use everywhere else. The trick is wiring that connection cleanly and securely.
Connecting Metabase SAML isn’t dark magic. It’s about mapping identity and group attributes so access fits your organization’s logic. Your identity provider authenticates users and issues signed assertions. Metabase consumes those assertions, verifies the signature, and checks which groups map to what permissions. No duplicate passwords, no shadow admins, no forgotten accounts lurking after an offboarding.
SAML integration shines when roles are consistent. A “Data Engineers” group in Okta might map to a “Metabase Admins” group internally, while “Product Analysts” map to read-only dashboards. The biggest wins come from aligning these role mappings with your RBAC policies early, before you let production users in. Clean group design up front means fewer tickets later.
Quick answer: To integrate Metabase SAML with Okta or another IdP, configure the IdP with Metabase’s ACS URL and entity ID, enable SAML in Metabase settings, upload the IdP metadata, and test group mappings. Successful logins confirm identity, signature validation, and group authorization.
A few best practices make Metabase SAML smoother:
- Rotate SAML certificates before they expire; automate where possible.
- Use HTTPS everywhere to protect SAML assertions in transit.
- Keep your IdP as the source of truth and disable Metabase’s local account creation.
- Log every SAML event for auditing and SOC 2 compliance evidence.
- Use staging environments to test before connecting production identities.
The benefits are obvious but worth listing:
- Speed: No more manual user provisioning.
- Security: Centralized auth means fewer credentials floating around.
- Auditability: Every login is verifiable and traceable.
- Governance: Consistent permissions mean cleaner access hygiene.
- Developer sanity: Onboarding in minutes instead of waiting on IT.
Once those identity flows are in motion, platforms like hoop.dev can extend that model beyond BI. They turn identity-aware access into enforced runtime policy so you can apply the same SAML-backed trust to internal services or APIs—without touching each one manually. It is like SSO that actually behaves like code.
AI integrations only raise the stakes. Copilot-style tools may query dashboards automatically, so who they authenticate as matters. Using Metabase SAML ensures those automated agents act under the same verified identity model as humans, keeping data lineage and compliance intact.
If SAML sounds like overhead, remember it is just structured trust. Once connected, it fades away, leaving a clean login page and the quiet satisfaction that your access model scales.
See an Environment Agnostic Identity-Aware Proxy in action with hoop.dev. Deploy it, connect your identity provider, and watch it protect your endpoints everywhere—live in minutes.