Skip to content

Single sign-on (SSO) setup🔗

Single sign-on (SSO) enables users to access Matillion using credentials managed by an identity provider (IdP), removing the need for separate Matillion-specific login details.

Individual single sign-on🔗

Sign in with Google and Sign in with Microsoft are available for individual accounts and require no additional configuration when you sign up using either option.

If you choose to sign up using one of these methods, you can't later change to an email and password login. Note that Sign in with Microsoft supports Microsoft accounts only, and doesn't support Entra ID accounts. For Entra ID authentication, refer to the custom SSO configuration described below.

Custom single sign-on🔗

Custom SSO allows you to authenticate Matillion users using your own identity provider.

Editions

This feature is available to customers on specific editions. Visit Matillion pricing to learn more about each edition.

Any identity provider that supports SAML 2.0 or OpenID Connect can be configured, including:

  • Microsoft Entra ID
  • Okta
  • Ping Identity
  • OneLogin

SSO is configured at the email domain level. Once fully activated, all users with an email address from a configured domain must use SSO to sign in. You can configure as many domains as needed. Certain users cannot be excluded, but you can still invite users from domains not included in the SSO configuration to your account, and those users will not be required to use SSO.

To get started, make sure you're using a supported edition, then follow these steps to configure SSO for your account:

  1. Create a DNS entry to confirm ownership of your domain.

  2. Create an application in your identity provider:

  3. Submit a support ticket with the following information:

    • The name of your identity provider.
    • Confirm whether you're using SAML or OpenID Connect.
    • The email domains you want associated with the connection.
    • The TXT record value from the DNS entries created in step 1, formatted as matillion:example-com-saml.
    • For SAML:
      • Login URL.
      • The Identifier or Audience set in your application, formatted as urn:auth0:matillion:example-com-saml.
      • The certificate obtained from your provider, encoded in Base64 format.
    • For OpenID Connect:
      • Client ID.
      • OpenID Connect metadata URL ending with /.well-known/openid-configuration.
      • A link that allows us to access the secret. You must use a secure service, such as https://onetimesecret.com/, to share it.

    User logins won't be affected until the entire process is complete.

  4. When asked to do so by Matillion, test the connection.

  5. After the connection has been successfully tested and is functioning correctly, and you're ready for SSO to be activated:

    • Commit all work to Git for all users. Only committed work will be migrated and anything uncommitted will be lost.
    • Confirm to Matillion that you're ready for the connection to be fully activated.

  6. Once complete, Matillion will ask you to sign into https://app.matillion.com to confirm everything is working as expected. Once you’ve confirmed this, all users can then log in and will be prompted to use SSO.

To sign in, go to https://app.matillion.com and enter your email address. After entering the email, the password field will disappear, and clicking Log In will redirect you to your identity provider.

Warning

You must log in with the same email address from your initial SSO login. After that, any email address recognised by your identity provider can be used for future logins.

Got feedback or spotted something we can improve?

We'd love to hear from you. Join the conversation in the Documentation forum!

© Copyright 2025 Matillion Ltd | Legal | Privacy Policy | Disclaimer | Modern Slavery Statement