🛠 This page is for engineering teams self-hosting their own Lightdash instance. The environment variables listed below are set directly in your self-hosted deployment.Lightdash Cloud users: configure SSO yourself from Organization settings → Single Sign-On — see Configure SSO. Use the provider-side steps on this page (creating an OAuth app, configuring redirect URIs, etc.) to obtain the values, then enter them in the organization settings UI instead of setting environment variables.Cloud SSO also requires a verified domain. Saving provider credentials without a verified domain will not route users to that provider during sign-in.
Multiple authentication methods
Lightdash supports configuring multiple authentication methods simultaneously on a single instance. You can enable any combination of sign-in options, including:- Password + Okta
- Password + Google + Okta
- Multiple SSO providers (e.g., Google + Azure AD + One Login)
Passwords
We recommend adding the SMTP environment variables so Lightdash can display aForgot your password? button in the login page and send emails to reset passwords.
You can override a user password in just a few steps:
- Open the bash terminal for the docker Lightdash container
- Override user password with this command:
SSO setup
To enforce SSO, it’s recommended to disable password authentication. This can be done by setting the following environment variable:Okta
Lightdash supports Okta as an authentication provider. The integration uses OpenID Connect (OIDC) to authenticate users and JIT provisioning to create users in Lightdash when they first log in.Creating an Okta application
In the Okta admin panel, navigate to Applications and click Create App Integration, choose the following settings:- Sign-in method: OIDC - OpenID Connect
- Application type: Web application
{{ lightdash_url }} with the URL of your Lightdash instance. For example if you normally access Lightdash at https://lightdash.example.com/login then you should use https://lightdash.example.com as your {{ lightdash_url }}.
- Grant type: Authorization Code
- Sign-in redirect URIs:
{{ lightdash_url }}/api/v1/oauth/redirect/okta - Sign-out redirect URIs:
{{ lightdash_url }} - Controlled access: Select who can access this application
- Login initiated by: App and Okta Sign-in Page
- Application visibility: Display application icon to users
- Login flow: Redirect to app to initiate login (OIDC Compliant)
- Initiate login URI:
{{ lightdash_url }}/api/v1/login/okta
Okta configuration variables
From the application settings page, you’ll need to copy the following values:- Client ID
- Client secret
dev-123456.okta.com.
Finally, you need the Issuer URI. This is the URL of your Okta authorization server. You can use your Org authorization server which uses https://dev-123456.okta.com as your issuer or select a custom authorization server. To find the issuer URI for a custom authorization server navigate to API > Authorization Servers and click on the authorization server and note the Issuer URI and Name of the authorization server. For example the default authorization server has an issuer URI of https://dev-123456.okta.com/oauth2/default.
Groups & Okta
If you want to use groups to control access to Lightdash, you’ll need to configure Okta and Lightdash to support this. If you’re not using a custom authorization server ID:- on
OpenID Connect ID Tokensection in the Okta application settings, addgroupsto theGroups claimfield, by setting a Groups claims type toFilterand a Filter to match expression to.*
- you don’t need to set the
AUTH_OKTA_EXTRA_SCOPESenvironment variable - on the Authorization Server settings, add claim
groups, value typeGroups, matches regex.*
Configuring Lightdash for Okta
You’ll need to set the following environment variables in your Lightdash deployment:Enable Automatic Assignment of Okta Users to Groups in Lightdash
Okta users will automatically be assigned to the same groups in Lightdash as they are in Okta if you have configured Okta to share groups with Lightdash. To enable this functionality, ensure the following environment variable is set:
read more about Using OKTA to manage groups in Lightdash
- Authorized JavaScript Origins:
https://{{ lightdash_domain }} - Authorized redirect URIs:
https://{{ lightdash_domain }}/api/v1/oauth/redirect/google
{{ lightdash_domain }} is the domain you use to sign in to Lightdash such as mycompany.lightdash.com
These environment variables must be provided to Lightdash to enable you to control Single Sign On (SSO) functionality for Google
Combine BigQuery SSO consent with Google login
If you use BigQuery SSO to give users per-user warehouse credentials, setAUTH_GOOGLE_INCLUDE_BIGQUERY_SCOPE=true to request the BigQuery scope during the initial Google login. Users will complete one consent screen that covers both Lightdash login and BigQuery warehouse access instead of two separate OAuth flows.
When enabled, Lightdash also requests offline access with a forced consent prompt so Google returns a refresh token for the BigQuery connection. Leave this unset (or false) if you do not use BigQuery SSO.
Before enabling this option:
- Confirm Google SSO is configured and working (
AUTH_GOOGLE_ENABLED=true). - Add the
https://www.googleapis.com/auth/bigqueryscope to your OAuth consent screen in Google Cloud. - Enable BigQuery SSO at the project level for the warehouse connections that should use it.
One Login
To create a One Login integration:- Head to the Administration portal
- In the navigation bar at the top select Applications > Applications
- Hit the Add App button
- Under Find Applications search for OpenID Connect (OIDC) and select it
- Set the Display Name and for the Icon you can use our Lightdash Media Kit to get a Lightdash Bolt logo and press Save
- Set the following values for the application
- Configuration > Login URL
{{site_url}}/api/v1/login/oneLogin - Configuration > Redirect URL
{{site_url}}/api/v1/oauth/redirect/oneLogin - SSO > Application Type
web - SSO > Token endpoint
post - SSO > Enable login hint
true
- Configuration > Login URL
- From the SSO page copy the client id, client secret, and issuer URL.
Azure Active Directory
Creating an Azure AD application
In the admin panel, navigate to App Registrations and click New registration, choose the following settings for the redirect URI:- Type: Web
- URI:
{{ lightdash_url }}/api/v1/oauth/redirect/azuread
{{ lightdash_url }} with the URL of your Lightdash instance. For example if you normally access Lightdash at https://lightdash.example.com/login then you should use https://lightdash.example.com as your {{ lightdash_url }}.
Hit Register and you’ll be taken to the application settings page. Copy the “Application (client) ID” and “Directory (tenant) ID” values as you’ll need them later.
In the left hand menu, navigate to Certificates & secrets and click New client secret. Give the secret a description and choose an expiry time. Hit Add and you’ll be shown the secret value. Copy this value as you’ll need it later.