Area: Deployment Issues
Sub-Area: OIDC Authentication and Group Provisioning
Issue
When configuring OIDC authentication with identity providers like Okta or Azure AD, groups may not be extracted and provisioned automatically during Just-in-Time (JIT) user creation, even when the "Extract Groups" option is enabled in DataHub. This commonly occurs due to misconfigured OIDC scopes, improper identity provider settings, or using authorization servers that don't support group claims.
You Might Be Asking
- Why aren't my OIDC groups being created during JIT provisioning?
- What's the difference between SAML and OIDC for DataHub Cloud SSO?
- How do I configure Azure AD or Okta for DataHub OIDC authentication?
- What are the required OIDC endpoints and URLs for DataHub integration?
Solution
For Group Extraction Issues:
-
Verify DataHub Configuration:
AUTH_OIDC_EXTRACT_GROUPS_ENABLED=true AUTH_OIDC_JIT_PROVISIONING_ENABLED=true AUTH_OIDC_SCOPE=openid profile email groups AUTH_OIDC_GROUPS_CLAIM=groups -
For Okta - Use Custom Authorization Server:
- Okta's org authorization server does NOT support the groups claim
- Switch to a Custom Authorization Server (e.g.,
https://).okta.com/oauth2/default - In Okta Admin → Security → API → Authorization Servers, configure:
Name: groups Include in: ID Token and UserInfo Value type: Groups Filter: Matches regex .* (or your specific filter) - Update DataHub's discovery URI to point to the custom auth server:
https://.okta.com/oauth2/default/.well-known/openid-configuration
-
For Azure AD - Create App Registration (Not Enterprise Application):
- Create an App Registration in Azure AD Portal
- Add redirect URI:
https://.datahubproject.io/callback/oidc - Generate Client Secret under "Certificates & Secrets"
- Note the Client ID and Tenant ID
-
Test the Configuration:
- Verify the OIDC token contains the groups claim
- Check DataHub logs for group extraction messages
- Test with a new user login to trigger JIT provisioning
Required OIDC Endpoints for DataHub Cloud:
-
Redirect URI:
https://.datahubproject.io/callback/oidc -
Login URL:
https://.datahubproject.io/login -
Discovery URI: Provider-specific (e.g.,
https://login.microsoftonline.com/for Azure AD)/v2.0/.well-known/openid-configuration
Additional Notes
DataHub Cloud uses OIDC (OpenID Connect) for SSO integration, not SAML. The extractGroupsEnabled flag defaults to false and must be explicitly enabled. Group extraction requires both JIT provisioning and group extraction to be enabled. For Okta users, the org authorization server limitation is a well-known constraint - always use Custom Authorization Servers for group claims. Contact DataHub Support for assistance with backend OIDC configuration changes.
Related Documentation
- Configure OIDC React Authentication
- DataHub Cloud OIDC SSO Integration
- Initialize OIDC Authentication
Tags: oidc, authentication, sso, groups, jit-provisioning, okta, azure-ad, deployment, configuration, group-extraction