Skip to content

docs: document public https URL requirement for org SSO #700

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mintlify wants to merge 1 commit into
base: main
Choose a base branch
from
+28 −0
Open

docs: document public https URL requirement for org SSO #700

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions references/workspace/sso-providers.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,34 @@ Lightdash supports multiple SSO providers for secure authentication. This page p
Self-hosted instances can configure any supported SSO provider by setting environment variables directly. See the [self-hosted SSO configuration guide](/self-host/customize-deployment/use-sso-login-for-self-hosted-lightdash) for setup instructions. Lightdash Cloud customers should follow the provider-side setup and share the values with the Lightdash team.
</Note>

## URL requirements for organization-managed SSO

When an organization admin saves a per-organization SSO configuration, Lightdash validates that any provider URL it has to fetch resolves to a **public `https://` address**. This protects against server-side request forgery (SSRF) since the URL is requested by the Lightdash backend during issuer discovery.

The following fields are validated at save time:

| Provider | Validated field | What gets checked |
| :--- | :--- | :--- |
| Okta | `oktaDomain` | The domain is used to build `https://<oktaDomain>` — it must resolve to a public host. |
| Generic OIDC | `metadataDocumentEndpoint` | The OIDC discovery document URL must use `https://` and resolve to a public host. |

URLs that point to `localhost`, loopback addresses, private networks, or other internal/non-routable addresses are rejected with a `ParameterError`. Azure AD is not affected because its endpoints are templated from the tenant ID.

<Note>
This check runs only when configuration is **saved through the API or admin UI**. Existing stored configurations and environment-variable-based self-hosted configurations are not re-validated.
</Note>

Example error returned when saving an invalid value:

```json
{
"error": {
"name": "ParameterError",
"message": "OIDC discovery document URL must be a valid public https URL — localhost, private and internal network addresses are not allowed."
}
}
```

## Provider details

### Google
Expand Down
Loading