Configure SAML on Apache Superset 2026

Tutorial to configure SAML authentication on Apache Superset: metadata, certificates, ADFS, Okta.

9 May 2026 · Tuvalu Tech OÜ

SAML 2.0 remains the enterprise authentication standard for many large and regulated organizations. Apache Superset supports SAML via Flask-AppBuilder. This guide details configuration with ADFS, Okta, and Azure AD in 2026.

1. SAML vs OIDC

Criterion	SAML	OIDC
Format	XML	JSON Web Token
Maturity	2005	2014
Enterprise adoption	Very wide	Growing
SaaS adoption	Medium	Standard 2026
Mobile	Limited	Excellent

Prefer OIDC if possible (cf. SSO OIDC). SAML remains mandatory for some enterprise IdPs.

If you want preconfigured SAML, TVL Managed Superset offers SAML setup on Pro+ instances.

2. Prerequisites

A SAML 2.0 IdP (ADFS, Okta, Azure AD, Keycloak);
The IdP's XML metadata;
A signing certificate;
The python3-saml library installed in Superset.

3. Install the library

uv pip install python3-saml flask-appbuilder[saml]

4. superset_config.py configuration

from flask_appbuilder.security.manager import AUTH_OAUTH

AUTH_TYPE = AUTH_OAUTH

# For SAML, we use OAuth via a wrapper
OAUTH_PROVIDERS = [
    {
        "name": "saml",
        "icon": "fa-key",
        "token_key": "access_token",
        "remote_app": {
            "client_id": "superset",
            "client_secret": os.environ["SAML_CLIENT_SECRET"],
            "server_metadata_url": os.environ["SAML_METADATA_URL"],
            "client_kwargs": {"scope": "openid email profile"},
        },
    }
]

For pure SAML (without OAuth wrapper), Superset offers AUTH_TYPE = AUTH_SAML in some distributions.

5. ADFS configuration

ADFS console → Relying Party Trusts → Add;
Federation Metadata Address of Superset: https://superset.example.com/saml/metadata;
Map claims: email, givenName, surname, groups;
Superset endpoint: https://superset.example.com/saml/login.

6. Okta configuration

Okta Admin → Applications → Create App Integration → SAML 2.0;
Single sign-on URL: https://superset.example.com/saml/acs;
Audience URI: https://superset.example.com/saml/metadata;
Attribute statements: email, firstName, lastName, groups;
Copy the XML metadata.

7. Azure AD configuration

Entra Admin → Enterprise applications → New application → Non-gallery;
Single sign-on → SAML;
Identifier: https://superset.example.com;
Reply URL: https://superset.example.com/saml/acs;
User attributes: email, name, groups.

This configuration is applied by default on TVL Managed Superset, which follows community best practices.

8. Role mapping

AUTH_ROLES_MAPPING = {
    "superset_admin":  ["Admin"],
    "superset_alpha":  ["Alpha"],
    "superset_gamma":  ["Gamma"],
}
AUTH_ROLES_SYNC_AT_LOGIN = True

The groups claim sent by the IdP is mapped to Superset roles at each login.

9. Test

Redeploy Superset;
Go to https://superset.example.com/login;
Click "Sign in with SAML";
IdP authentication;
Redirect to Superset, account created automatically.

10. Common pitfalls

Expired certificate: SAML signed with an expired cert, check validity;
Time skew: SAML is strict on the clock; synchronize NTP;
Audience URI: the slightest difference (slash, http/https) blocks;
Missing claims: groups not sent by default, configure on IdP side;
Asymmetric logout: SLO (Single Logout) requires additional config.

11. Conclusion

SAML remains essential for large organizations under enterprise IdP (ADFS, Okta, Azure AD). Superset configuration takes a few hours to set up but remains stable once in place. For new setups, OIDC is recommended unless strict SAML constraint.

Want the benefits of Apache Superset without the friction of installation and maintenance? Deploy your instance in 3 clicks with TVL Managed Superset, hosted in Europe (OVHcloud, Roubaix, France).

For more: SSO OIDC, SSO Azure AD, LDAP.