Single Sign-On
DataTako supports Single Sign-On (SSO) so your users can log in with their existing identity provider. Two options are available: SAML 2.0 SSO for any compatible identity provider, and a dedicated Entra ID (formerly Azure AD) integration with additional features like group synchronization.
SSO requires a custom domain to be configured. Set this up under Settings > Appearance > Custom domain before configuring SSO.
SAML 2.0 SSO
Configure SAML 2.0 SSO under Settings > SSO. This works with any SAML 2.0 compatible identity provider such as Entra ID, Okta, Google Workspace, or OneLogin.
Identity provider configuration
You can configure your identity provider in two ways: by providing a metadata URL (recommended), or by entering the details manually.
| Setting | Details |
| Name | A display name for this SSO configuration. |
| IdP metadata URL | The URL to your identity provider’s SAML metadata document. When provided, the entity ID, sign-on URL, and certificate are read from the metadata automatically. |
| IdP entity ID | The entity identifier of your identity provider. Required when not using a metadata URL. |
| Single sign-on URL | The SAML 2.0 endpoint where login requests are sent. Required when not using a metadata URL. |
| Single logout URL | The SAML 2.0 endpoint for logout requests. Optional. |
| Signing certificate | The certificate from your identity provider used to verify SAML responses. Upload a .cer, .crt, .pem, .der, or .cert file. Required when not using a metadata URL. |
Service provider details
When configuring your identity provider, use the following values from DataTako:
| Value | Details |
| SP entity ID | The entity identifier for DataTako as a service provider: urn:datatako:sp |
| ACS URL | The Assertion Consumer Service URL where your identity provider sends the SAML response. Shown on the configuration page. |
| IdP-initiated login URL | A URL for starting a login from the identity provider side. Uses your custom domain. |
| SP signing certificate | A certificate you can download and upload to your identity provider for request verification. |
Automatic user provisioning
When the “Automatically create users” option is enabled, users who log in via SSO for the first time are automatically created in DataTako with the Viewer role. No manual invitation is needed.
To use automatic provisioning, you need to verify your domain. This proves that your organization owns the email domain. Add your domain in the verified domains section and create a DNS TXT record with the provided verification token. Once verified, users with email addresses on that domain are provisioned automatically on their first SSO login.
Entra ID integration
If your organization uses Microsoft Entra ID (formerly Azure AD), DataTako offers a dedicated integration that goes beyond standard SAML SSO. The Entra integration synchronizes users and groups directly from Entra into DataTako, keeping everything in sync automatically. This is the preferred option when your organization uses Entra ID.
Configure the Entra integration under Settings > Entra ID. An administrator with Entra admin rights needs to grant consent to the DataTako application. If the person configuring DataTako does not have Entra admin rights, a shareable consent URL can be generated and sent to an IT administrator.
User synchronization
Once connected, DataTako synchronizes users from Entra on an hourly schedule. You can also trigger a manual sync from the settings page.
| Setting | Details |
| Exclude guest users | Excludes users marked as “guest” in Entra from being synced to DataTako. |
| Include security groups | Only users who are members of the selected Entra security groups are synced. Leave empty to include all users. |
| Exclude security groups | Users in these Entra security groups are excluded from sync, even if they match the include filter. |
| User removal policy | What happens when a user is removed or deactivated in Entra. Choose between Nothing (keep the account and settings in DataTako) or Hard delete (remove the user and all their settings). |
| Provisioning type | In advance syncs all matching users to DataTako immediately. Just-in-time creates users only when they log in for the first time (requires a custom domain). |
| Send welcome email | When using “in advance” provisioning, optionally sends a welcome email to newly synced users. You can choose the email language. |
Role mapping
Map Entra security groups to DataTako roles. Users in a mapped group automatically receive the corresponding role. Users who are not in any mapped group default to the Viewer role.
| Role | Details |
| Viewer | Select Entra groups whose members should receive the Viewer role. |
| Editor | Select Entra groups whose members should receive the Editor role. |
| Organisation admin | Select Entra groups whose members should receive the Organisation Admin role. |
Group synchronization
A key advantage of the Entra integration over standard SAML SSO is the ability to connect Entra security groups to DataTako user groups. When you link an Entra group to a DataTako user group, members are automatically added and removed based on their Entra group membership.
You can manage these links from the user group settings. Select one or more Entra groups to connect to a DataTako user group.
The “Enforce user group membership from Entra” setting controls whether Entra is the single source of truth for group membership. When enabled, group membership is managed entirely by Entra and manual changes in DataTako are overwritten on the next sync. When disabled, Entra groups are still synced, but administrators can also manually add users to DataTako groups.
