Configure OAuth authentication for your Sigma organization

This document guides you through configuring Sigma to authenticate users to your Sigma organization through OAuth single sign-on (SSO).

Prerequisite

• You must have already configured a Sigma OAuth application in your IdP. If you have not yet completed this prerequisite step, see Configure a Sigma OAuth application.

Requirements

• You must be assigned the Admin account type to manage authentication for your Sigma organization.

Configure OAuth as an authentication method for your Sigma organization

In Sigma, configure your organization to use OAuth as an authentication method.

💡

When transitioning authentication methods for your Sigma organization from basic authentication to OAuth, the best practice is to transition first to the OAuth or password option rather than directly to requiring OAuth only login for all users. With the authentication method set to OAuth or password, you retain the ability to log in with a password during the transition to your IdP based login, ensuring that you are not locked out during the configuration change. Once you have confirmed that users are able to log in using OAuth, you can transition to OAuth only login.

This configuration requires the values for three fields you obtained when configuring your Sigma OAuth application in your IdP.

• Client ID and Client Secret:

  • If you are using an external IdP, you obtained these as part of this step: Step 1: Create an app for Sigma in your IdP.
  • If you are using Databricks as your IdP, you obtained these values as part of this step: Configure a custom OAuth application for Sigma in Databricks Authorization Server.

• Metadata URI:

  • If you are using an external IdP, you obtained this value as part of this step: Step 3: Create an authorization server.
  • If you are using Databricks as your IdP, you obtained this value as part of this step: Determine your metadata URI for your Databricks Authorization Server.

To configure your Sigma organization to use OAuth as the authentication method:

💡

When transitioning authentication methods, it is recommended to keep a password-based authentication option enabled. This ensures you are not locked out of your Sigma organization if configuration issues arise.

To configure an OAuth authentication method:

1. Go to Administration > Authentication.

2. Add OAuth as an authentication method:

   • For organizations with multiple identity providers (IdPs) enabled: In the Authentication Methods section, select + Add authentication method.
   • For organizations without multiple IdPs enabled: In the Authentication Method and Options, locate the Authentication Method setting and select Edit.

📘

Using multiple identity providers for your Sigma organization is in public beta.

This documentation describes a public beta feature and is under construction. This documentation should not be considered part of our published documentation until this notice, and the corresponding Beta flag on the feature in Sigma, are removed. As with any beta feature, the feature discussed below is subject to quick, iterative changes. The latest experience in the Sigma service may differ from the contents of this document.

Beta features are subject to the disclaimer on Beta features.

3. Configure your OAuth authentication method:

   • In the Metadata URI field, enter the OAuth metadata URI.
   • In the Client ID field, enter the client ID from your OAuth application.
   • In the Client Secret field, enter the client secret from your OAuth application. After you enter and save this value, Sigma does not display it.
   • (For organizations with multiple IdPs enabled) Enter a Name for your OAuth authentication method. This will be displayed to all users on signing in to Sigma.

4. (Optional) Configure additional authentication options. For organizations with multiple IdPs enabled, this is under Authentication Options, and for organizations without multiple IdPs enabled, this is under Authentication Method:

   • (Optional) To enable guest user accounts, turn on the toggle for Allow Guest Access. See Guest User Accounts.
   • (Optional) To customize how frequently users are prompted to re-authenticate, set a Session Length in Hours. This setting only applies to users logging in with SAML or a password.
   • (Optional) To ensure users are automatically logged out after a certain length of inactivity in the product, turn on the toggle for Enforce Inactivity Timeouts. See Set up inactivity timeouts.

5. Test your OAuth configuration by logging out and logging back into Sigma. Your organization’s sign in page should now display your new authentication method, either with a Log in with SSO prompt or the Name you set for your authentication method.

6. If you set an additional password-based authentication option and want to remove it after testing to ensure users are able to log in using OAuth:

   • For organizations with multiple IdPs enabled: Select Delete next to your Password authentication option, then select Delete again.
   • For organizations without multiple IdPs enabled: You can update your selection in the Authentication Method dropdown to choose the OAuth option, which enforces OAuth login for all users.

If your organization has multiple identity providers enabled, and you want to set up multiple OAuth authentication methods, you will need to repeat this process for each OAuth authentication method.