Setting up PingOne SSO for Dagster Cloud#

This guide is applicable to Dagster Cloud.

In this guide, you'll configure PingOne to use single sign-on (SSO) with your Dagster Cloud organization.


To complete the steps in this guide, you'll need:

Step 1: Add the Dagster Cloud app in PingOne#

  1. Sign into your PingOne Console.

  2. Using the sidebar, click Connections > Applications.

    PineOne Sidebar
  3. On the Applications page, add an application.

  4. In Select an application type, click Web app.

  5. Click SAML > Configure:

    Add App

Step 2: Configure SSO in PingOne#

  1. In the Create App Profile page:

    1. Add an application name, description, and icon:

      Application Details
    2. When finished, click Save and Continue.

  2. In the Configure SAML page:

    1. Fill in the following:

      • ACS URLS and Entity ID: Copy and paste the following URL, replacing <organization_name> with your Dagster Cloud organization name:

      • Assertion Validity Duration: Type 60.

      In the following example, the organization’s name is hooli and the Dagster Cloud domain is

      Service Provider Details
    2. When finished, click Save and Continue.

  3. In the Map Attributes page:

    1. Configure the following attributes:

      Application attributeOutgoing value
      EmailEmail Address
      FirstNameGiven Name
      LastNameFamily Name

      The page should look similar to the following:

      Attribute Mapping
    2. When finished, click Save and Continue.

Step 3: Upload the SAML metadata to Dagster Cloud#

Next, you'll save and upload the application's SAML metadata to Dagster Cloud. This will enable single sign-on.

  1. In PingOne, open the Dagster Cloud application.

  2. Click the Configuration tab.

  3. In the Connection Details section, click Download Metadata:

    SAML Metadata
  4. When prompted, save the file to your computer.

  5. After you've downloaded the SAML metadata file, upload it to Dagster Cloud using the dagster-cloud CLI:

    dagster-cloud organization settings saml upload-identity-provider-metadata <path/to/metadata> \
      --api-token=<user_token> \
      --url https://<organization_name>

Step 4: Grant access to users#

Next, you'll assign users to the Dagster Cloud application in PingOne. This will allow them to log in using their PingOne credentials when the single sign-on flow is initiated.

  1. In the Dagster Cloud application, click the Access tab.

  2. Click the pencil icon to edit the Group membership policy:

    Assign New Login
  3. Edit the policy as needed to grant users access to the application.

Step 5: Test your SSO configuration#

Lastly, you'll test your SSO configuration:

Testing a service provider-initiated login#

  1. Navigate to your Dagster Cloud sign in page at https://<organization_name>

  2. Click the Sign in with SSO button.

  3. Initiate the login flow and address issues that arise, if any.

Testing an identity provider-initiated login#

In the PingOne application portal, click the Dagster Cloud icon:

Identity Provider Login

If successful, you'll be automatically signed in to your Dagster Cloud organization.