Area: Deployment Issues
Sub-Area: OIDC / SSO Authentication Configuration
Issue
A user invited to DataHub Cloud receives an "Access denied" error when attempting to log in via SSO. The error originates from the Identity Provider (IdP) before the authentication request ever reaches DataHub. Refreshing the invite link, deleting the user from the invited list, and re-sending the invitation have no effect because the block is enforced entirely at the IdP layer — DataHub never receives a valid authentication token to act on.
Error Messages
Access denied. The OIDC service responded with 'Access denied'. It seems that you don't have access to this application yet. Please apply for access.Error details: 'Optional[access_denied]':'Optional[End-user does not have access to this application]'User is not assigned to the client application
You Might Be Asking
- Why does a newly invited DataHub user see "Access denied" when clicking their invite link?
- Why doesn't refreshing or resending the DataHub invite link fix the OIDC access denied error?
- How do I grant a user access to DataHub when SSO login is blocked by the identity provider?
- Does this error indicate a DataHub Cloud bug or regression?
Solution
This error is caused by an IdP configuration issue, not a DataHub defect. The user must be explicitly assigned to the DataHub application inside your Identity Provider's admin console. Follow the steps below for your IdP:
-
Log in to your Identity Provider admin console.
Access the admin portal for whichever IdP your organization uses (e.g., Okta, Azure Active Directory, Google Workspace, OneLogin, or another OIDC-compatible provider).
-
Navigate to the DataHub application in your IdP.
- Okta: Go to Applications → Applications and select your DataHub app.
- Azure Active Directory: Go to Enterprise Applications and select your DataHub app.
- Google Workspace: Go to Apps → Web and mobile apps and select your DataHub app.
- OneLogin: Go to Applications and select your DataHub app.
-
Assign the affected user to the DataHub application.
Within the application's Assignments (or Users) section, confirm the user is either:
- Directly assigned to the DataHub application, or
- A member of a group that is directly assigned to the DataHub application.
If the user is not listed, add them individually or add them to an assigned group.
-
Account for nested group limitations (Okta and some other IdPs).
Some IdPs, particularly Okta, do not automatically propagate nested or sub-group membership for application access control. If the user belongs to a subgroup of a group that is assigned to the DataHub app, they may still be blocked. To resolve this:
- Assign the user's specific subgroup directly to the DataHub application, or
- Assign the user individually to the DataHub application.
-
Verify the fix.
Once the user is properly assigned in the IdP, ask them to attempt login again. No further changes are needed within DataHub Cloud itself. The user should be able to authenticate immediately after the IdP assignment is saved.
For reference, the OIDC flow behaves as follows. DataHub receives the IdP's denial response and surfaces it to the end user:
# Example OIDC error response surfaced by DataHub (generated by the IdP):
{
"error": "access_denied",
"error_description": "End-user does not have access to this application"
}
Because the block occurs at the IdP before any token is issued, DataHub-side actions such as re-inviting the user or refreshing invite tokens cannot resolve this error.
Additional Notes
- This is not a DataHub Cloud product regression. The "Access denied" error is generated and returned by the Identity Provider as part of the standard OIDC authorization flow. DataHub correctly surfaces this error to the end user.
- DataHub's invite and re-invite functionality operates at the DataHub application layer only. It has no ability to override or bypass IdP-level access controls — these are two independent systems.
- This issue applies to any OIDC-compatible IdP (Okta, Azure AD, Google Workspace, OneLogin, PingFederate, Auth0, etc.). The resolution is always to assign the user within the IdP admin console.
- If your organization enforces group-based application access, ensure the groups assigned to the DataHub application in your IdP are kept up to date whenever new users are onboarded.
- After resolving the IdP assignment, no DataHub support action or configuration change is required.
Related Documentation
- Configuring OIDC Authentication in DataHub
- OIDC SSO Troubleshooting Guide
- DataHub Authentication Overview
Tags: oidc, sso, access-denied, identity-provider, okta, azure-ad, onboarding, login-failure, user-assignment, authentication