Configure OAuth authentication for your Sigma organization

This document guides you through configuring Sigma to authenticate users to your Sigma organization through OAuth single sign-on (SSO).

Prerequisite

• You must have already configured a Sigma OAuth application in your IdP. If you have not yet completed this prerequisite step, see Configure a Sigma OAuth application. If you plan to use Databricks OAuth U2M as your IdP, see Configure an OAuth application for Databricks instead.

• You must know the client ID, client secret, and metadata URI for your OAuth application:

  • Client ID and client secret:

    • If you're using an external IdP, you obtained these as part of this step: Step 1: Create an app for Sigma in your IdP.
    • If you're using Databricks as your IdP, you obtained these values as part of this step: Configure an OAuth application for Databricks.

  • Metadata URI:

    • If you're using an external IdP, you obtained this value as part of this step: Step 3: Create an OAuth authorization server.
    • If you're using Databricks as your IdP, you obtained this value as part of this step: Determine your metadata URI for Databricks OAuth for users.

Requirements

• You must be assigned the Admin account type to manage authentication for your Sigma organization.

Configure OAuth as an authentication method for your Sigma organization

In Sigma, configure your organization to use OAuth as an authentication method.

💡

When transitioning authentication methods for your Sigma organization from basic authentication to OAuth, the best practice is to transition first to the OAuth or password option instead of immediately requiring OAuth-only authentication for all users.

With the authentication method set to OAuth or password, you keep the ability to sign in with a password during the transition to your IdP-based authentication, ensuring that you're not locked out during the configuration change.

After you have confirmed that users are able to sign in using OAuth, you can transition to OAuth-only authentication.

To configure your Sigma organization to use OAuth as the authentication method:

1. Go to Administration > Authentication.

2. Add OAuth as an authentication method:

   • If your organization only has 1 identity provider, in the Authentication section, select Edit.
   • If your organization has multiple identity providers (IdPs), in the Authentication section, select + Add authentication method.

   📘

   Using multiple identity providers for your Sigma organization is in public beta.

   This documentation describes a public beta feature and is under construction. This documentation should not be considered part of our published documentation until this notice, and the corresponding Beta flag on the feature in Sigma, are removed. As with any beta feature, the feature discussed below is subject to quick, iterative changes. The latest experience in the Sigma service may differ from the contents of this document.

   Beta features are subject to the disclaimer on Beta features.

3. Configure your OAuth authentication method:

   • In the Metadata URI field, enter the OAuth metadata URI.
   • In the Client ID field, enter the client ID from your OAuth application.
   • In the Client secret field, enter the client secret from your OAuth application. After you enter and save this value, Sigma does not display it.
   • (For organizations with multiple IdPs enabled) Enter a Name for your OAuth authentication method. This name is displayed to all users when they sign in to Sigma.

4. (Optional) Configure additional authentication options:

   • (Optional) To enable guest user accounts, turn on the Allow guest access toggle. See Guest User Accounts.
   • (Optional) To customize how frequently users are prompted to sign in, set a Session length in hours. This setting only applies to users signing in with SAML or a password.
   • (Optional) To ensure users are automatically logged out after a certain length of inactivity in the product, turn on the Enforce inactivity timeouts toggle. See Set up inactivity timeouts.

5. Test your OAuth configuration by signing out and signing back in to Sigma.

   If your configuration was successful, your organization sign in page displays the new authentication method, either with a Log in with SSO prompt or the Name you set for your authentication method.

   If your configuration was not successful, review the steps or contact Sigma Support.

6. If you set an additional password-based authentication option and want to remove it after testing to ensure users are able to sign in using OAuth:

   • For organizations with 1 IdP, modify your selection in the Authentication method dropdown to choose the OAuth option.
   • For organizations with multiple IdPs enabled, delete the password authentication option. Next to the Password authentication option, select Delete, then select Delete again.

If your organization has multiple identity providers enabled and you want to set up multiple OAuth authentication methods, repeat this process for each OAuth authentication method.