Skip to main content
Metabase supports multiple authentication methods to integrate with your organization’s identity provider. Configure authentication options from Admin > Settings > Authentication.
All authentication methods can automatically create Metabase accounts when users sign in for the first time, eliminating manual account creation.

Authentication options overview

MethodPlansBest forKey features
Email & PasswordAllBasic authBuilt-in, no setup required
Google Sign-InAllGoogle Workspace usersQuick setup, 2FA support
LDAPAllOn-premise directoriesActive Directory integration
SAMLPro, EnterpriseEnterprise SSOFull IdP integration, attribute sync
JWTPro, EnterpriseCustom SSOFlexible token-based auth

Google Sign-In

Enable one-click authentication using Google accounts.

When to use Google Sign-In

  • Your organization uses Google Workspace
  • You want Google’s 2FA/MFA for Metabase security
  • You need simple SSO without enterprise IdP complexity

Setting up Google Sign-In

1

Create Google OAuth credentials

  1. Go to Google Developer Console
  2. Create a new project or select existing
  3. Enable Google+ API
  4. Create OAuth 2.0 credentials
2

Configure authorized origins

In “Authorized JavaScript origins”, add your Metabase URL:
https://metabase.example.com
Leave “Authorized Redirect URIs” blank
3

Copy Client ID

Copy the Client ID ending in .apps.googleusercontent.com
4

Configure Metabase

  1. Go to Admin > Settings > Authentication
  2. Click Set up on the “Sign in with Google” card
  3. Paste your Client ID
  4. Optionally add domain to auto-create accounts
Enter your organization’s domain (e.g., yourcompany.com) to automatically create accounts for users with matching email domains.Users with @yourcompany.com emails can sign in and automatically get Metabase accounts.

Multiple domains

Multiple domains for Google Sign-In are available on Pro and Enterprise plans.
Support multiple email domains from the same Google Workspace: 
mycompany.com,example.com.br,otherdomain.co.uk
Separate domains with commas, no spaces.
User attribute synchronization: Google Sign-In cannot sync user attributes. For attribute sync, use Google SAML or JWT instead.

LDAP authentication

Integrate with Lightweight Directory Access Protocol directories like Active Directory.

Required LDAP attributes

Your LDAP directory must have these attributes:
AttributeDefault LDAP fieldRequired?
EmailmailYes
First namegivenNameNo (defaults to “Unknown”)
Last namesnNo (defaults to “Unknown”)
The email field must be populated for each LDAP entry. Without it, Metabase cannot create accounts or authenticate users.

Configuring LDAP

1

Enable LDAP

Go to Admin > Settings > Authentication > LDAP and toggle on
2

Server settings

Configure your LDAP server connection:
  • Host: e.g., ldap.yourdomain.org
  • Port: Usually 389 (standard) or 636 (SSL)
  • Security: None, SSL, or StartTLS
  • Admin username: Distinguished name for binding
  • Admin password: Credentials for admin user
3

User schema

Define how Metabase finds users:
  • User search base: Starting DN (e.g., ou=People,dc=widgetco,dc=com)
  • User filter: Query to match users (default works for most)
4

Attributes

Map LDAP attributes to Metabase fields if different from defaults
5

Test connection

Save settings and test by logging in with LDAP credentials
The user search base defines where in your LDAP tree Metabase starts looking for users.Example: If your organization is WidgetCo with base DN dc=widgetco,dc=com, and employees are under an organizational unit called “People”, set:
ou=People,dc=widgetco,dc=com
The default filter:
(&(objectClass=inetOrgPerson)(|(uid={login})(mail={login})))
This matches entries that:
  • Have objectClass of inetOrgPerson AND
  • Match the login in either the uid OR mail field
Customize this if your LDAP uses different objectClass or attributes.

LDAP group mapping

Automatically add users to Metabase groups based on LDAP group membership.
1

Enable group mapping

In LDAP settings, scroll to Group Schema and toggle on
2

Configure mappings

Click Edit Mapping to open the mapping modal
3

Add mapping

For each LDAP group:
  1. Enter the Distinguished Name (e.g., cn=Accounting,ou=Groups,dc=widgetco,dc=com)
  2. Select corresponding Metabase group from dropdown
  3. Click Save
Important notes:
  • Administrator group can be mapped like any other group
  • Group membership updates only apply after users log in again
  • Only mapped groups are affected—other Metabase groups remain unchanged

Advanced LDAP features

Advanced LDAP features including group membership filters and user attribute sync are available on Pro and Enterprise plans.
Customize how Metabase looks up group memberships with filter placeholders:
  • {dn}: Replaced with user’s Distinguished Name
  • {uid}: Replaced with user’s UID
Useful for complex LDAP schemas with nested groups or custom membership attributes.
Pass custom user attributes from LDAP to Metabase for:
  • Row and column security
  • Personalized data filtering
  • Multi-tenant analytics
Attributes sync automatically on each login.

SAML authentication

SAML authentication is available on Pro and Enterprise plans.
Security Assertion Markup Language (SAML) provides enterprise-grade single sign-on.

Benefits of SAML authentication

  • Automatic account provisioning on first login
  • User attribute synchronization for row-level security
  • Seamless access without re-authentication
  • Centralized identity management
  • Support for all major identity providers

Supported identity providers

Metabase provides specific guides for:

Before setting up SAML

Critical: Confirm you know the password to your Metabase admin account before configuring SAML. If SAML setup fails, you can still log in via “Admin backup login” on the sign-in screen.

SAML configuration overview

The SAML setup form has three sections:
1

Metabase information for your IdP

Copy these values to your identity provider’s SAML configuration:
  • URL the IdP should redirect back to: Your Metabase URL + /auth/sso
  • User attributes: Email, first name, last name
2

IdP information for Metabase

Enter these values from your identity provider:
  • SAML Identity Provider URL: Where Metabase redirects login requests
  • SAML Identity Provider Issuer: Unique IdP identifier (recommended)
  • SAML Identity Provider Certificate: X.509 certificate for verification
3

SSO request signing (optional)

Configure keystore settings if your IdP requires signed requests or encrypts responses
The redirect URL tells your IdP where to send users after authentication.Format: [Your Metabase Site URL]/auth/ssoExample: If your Site URL is https://metabase.yourcompany.com, the redirect URL is:
https://metabase.yourcompany.com/auth/sso
Different IdPs use different names:
  • Auth0: “Application Callback URL”
  • Okta: “Single Sign On URL”
  • OneLogin: “ACS (Consumer) URL”
SAML assertions must contain:
  • Email address
  • First name
  • Last name
Most IdPs include these by default. Some (like Okta) require explicit configuration.
Keep email addresses synchronized between your IdP and Metabase. Mismatched emails can lock users out of their accounts.
The SAML certificate is an encoded certificate for secure IdP communication.Common formats: .cer or .pem filesInclude headers: Copy the entire certificate including:
-----BEGIN CERTIFICATE-----
[certificate content]
-----END CERTIFICATE-----

SAML group synchronization

Automatically assign Metabase groups based on IdP attributes.
1

Create IdP user attribute

In your IdP, create a user attribute for Metabase groups (e.g., metabaseGroups)
2

Enable sync in Metabase

In SAML settings, toggle on Synchronize group memberships
3

Create mappings

Click Edit mappings and for each IdP group value:
  1. Click Create a mapping
  2. Enter the IdP group value
  3. Select corresponding Metabase group(s)
  4. Click Save
4

Specify attribute name

Enter the attribute name from your IdP (e.g., MetabaseGroupName)

SAML Single Logout (SLO)

Enable single logout to sign users out of both Metabase and your IdP. SLO endpoint: /auth/sso/handle_slo Full URL example: 
https://metabase.example.com/auth/sso/handle_slo
SLO requires configuration via environment variables:
  • MB_SAML_SLO_ENABLED=true
  • MB_SAML_IDENTITY_PROVIDER_URI set to IdP’s SLO endpoint
  • MB_SESSION_COOKIE_SAMESITE=none
  • HTTPS must be enabled

User provisioning with SAML

By default, Metabase creates accounts automatically when users authenticate via SAML. If using SCIM user provisioning, disable automatic account creation to control who can access Metabase through SCIM instead.

JWT authentication

JWT authentication is available on Pro and Enterprise plans.
JSON Web Token (JWT) authentication enables integration with custom identity providers.

JWT authentication flow

1

User requests protected resource

User attempts to view content (e.g., /question/1-superb-question)
2

Redirect to authentication

Metabase redirects unauthenticated users to /auth/sso
3

External authentication

User authenticates with your identity provider
4

Token generation

Your IdP generates a JWT and redirects to Metabase
5

Token verification

Metabase verifies the JWT signature and logs the user in
6

Original destination

User is redirected to their original destination

Configuring JWT

1

Navigate to JWT settings

Go to Admin > Settings > Authentication > JWT
2

JWT Identity Provider URI

Enter the URL where users will authenticate
3

JWT Signing Key

Enter the shared secret key for token verification (must match your IdP)
4

User attribute mapping (optional)

Map JWT claims to Metabase attributes:
  • Email attribute key
  • First name attribute key
  • Last name attribute key
  • Group assignment attribute key
  • Tenant attribute key (for multi-tenancy)
User attributes sync automatically on every JWT login, keeping Metabase data current with your IdP.

JWT group mapping

Automate group assignments based on JWT claims.
1

Add groups to JWT

In your IdP, include groups in JWT: groups: ["group_name"]
2

Enable sync

Toggle on Synchronize Group Memberships in JWT settings
3

Automatic matching

If JWT group names match Metabase group names exactly, they sync automatically
4

Manual mapping

For different names:
  1. Click New mapping
  2. Enter JWT group name
  3. Select Metabase group(s) from dropdown
  4. Repeat for all groups
Alternative to UI configuration:
MB_JWT_ATTRIBUTE_GROUPS=groups
MB_JWT_GROUP_SYNC=true
MB_JWT_GROUP_MAPPINGS='{"extHR":[7], "extSales":[3,4]}'
Where:
  • extHR, extSales are JWT group names
  • 7, 3, 4 are Metabase group IDs
Find group IDs in URLs: /admin/people/groups/<ID>

Multi-tenant JWT configuration

For multi-tenant applications, JWT can automatically assign users to tenants based on token claims. See Tenants documentation.

Password authentication

Disabling password login

Critical warning: Disabling password authentication affects ALL accounts, including administrators. Ensure SSO works for your admin account before disabling passwords.Recommendation: Keep password authentication enabled as a backup to prevent lockouts.
To require SSO for all users:
1

Verify SSO access

Confirm you can log in with SSO using your admin account
2

Navigate to authentication

Go to Admin > Settings > Authentication
3

Disable passwords

Toggle off Enable Password Authentication
4

Test thoroughly

Verify all users can authenticate via SSO
When password authentication is disabled, users must use SSO. Accounts created via SSO never have passwords and must continue using SSO to log in.

Password complexity requirements

Enforce stronger password policies from Admin > Settings > Authentication. Options include:
  • Minimum length
  • Required character types (uppercase, lowercase, numbers, symbols)
  • Common password prevention

Session expiration

Control how long users stay logged in before re-authentication is required. Configure in Admin > Settings > Authentication > Session expiration.

Account provisioning

Automatic account creation

All authentication methods can automatically create Metabase accounts on first login:
Paid plans: Each active account counts toward your user limit and billing, even if created automatically.
What gets created:
  • User account with email and name from IdP
  • Membership in mapped groups (if configured)
  • No password (must continue using SSO)

New account notifications

Admins receive email notifications when SSO creates new accounts. To disable these notifications:
  1. Go to Admin > Settings > Authentication > User provisioning
  2. Toggle off Notify admins of new users provisioned from SSO

SCIM user provisioning

SCIM provisioning is available on Enterprise plans.
For programmatic account management, Metabase supports SCIM (System for Cross-domain Identity Management). Benefits:
  • Centralized user lifecycle management
  • Automatic deprovisioning
  • Group membership sync
  • Integration with identity platforms

Best practices

1

Test SSO before disabling passwords

Always verify SSO works completely before disabling password authentication
2

Keep admin backup access

Know your admin password for “Admin backup login” access
3

Use group synchronization

Leverage IdP group mappings to automate permission management
4

Enable user attribute sync

Sync user attributes for row-level security and personalization
5

Document your configuration

Maintain documentation of SSO setup for future admins
6

Regular access reviews

Periodically audit accounts created via SSO

Troubleshooting

Solution: Use “Admin backup login” link on sign-in page to access your account with password authentication.
Check:
  • Certificate includes header and footer comments
  • No extra spaces or line breaks
  • Certificate hasn’t expired
  • Correct certificate was copied
Verify:
  • Attribute names match exactly (case-sensitive)
  • IdP is sending attributes in assertions
  • User has logged in after attribute configuration
  • Attribute values are correct format
Confirm:
  • Group names match exactly
  • User has logged in after mapping setup
  • IdP is sending group information
  • Metabase groups exist before mapping
Check:
  • Firewall allows connections to LDAP port
  • Admin credentials are correct
  • User search base DN is valid
  • LDAP server is accessible from Metabase

Build docs developers (and LLMs) love

Get started for freeTalk to us