From 5a8481166405cdb0e062730ee2d76cd672b4be30 Mon Sep 17 00:00:00 2001 From: Artyom Keydunov Date: Mon, 16 Mar 2026 16:56:22 -0700 Subject: [PATCH 1/3] Docs cleanup 2 (#10502) * docs: add user attributes syncing via SCIM for Entra ID Add section documenting how to sync user attributes from Microsoft Entra to Cube via SCIM, including attribute creation, schema prefix, and mapping configuration. Made-with: Cursor * docs: add Viewer role requirement for MCP server Made-with: Cursor * docs: move Chart Prototyping to Embedding, Data Model to Data Modeling - Move Chart Prototyping (vizard) from workspace to embedding section - Move Data Model page to data-modeling section, rename to Data Model IDE - Update all references and add redirects for old paths Made-with: Cursor * docs: restructure pages, add scheduled refreshes and notifications docs - Move API keys from workspace to administration - Move Pricing from deployment to administration - Hide CLI from workspace navigation - Update scheduled refreshes page with full documentation - Add notifications page for email and Slack delivery - Update all references and add redirects for moved pages Made-with: Cursor * docs: add Personal Core Data API Token section Made-with: Cursor --- .../sso/microsoft-entra-id/scim.mdx | 2 +- .../apis-integrations/core-data-apis/index.mdx | 17 ++++++++++++++++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/docs/content/product/administration/sso/microsoft-entra-id/scim.mdx b/docs/content/product/administration/sso/microsoft-entra-id/scim.mdx index a9c263d651c64..0d736dcd433d3 100644 --- a/docs/content/product/administration/sso/microsoft-entra-id/scim.mdx +++ b/docs/content/product/administration/sso/microsoft-entra-id/scim.mdx @@ -63,7 +63,7 @@ Cube: 1. In the Mappings section, select the object type you want to configure — either users or groups. 2. Remove all default attribute mappings **except** the following: - - **For users**: keep `userName` and `displayName`. + - **For users**: keep `userName`, `displayName` and `active`. - **For groups**: keep `displayName` and `members`. 3. Click Save. diff --git a/docs/content/product/apis-integrations/core-data-apis/index.mdx b/docs/content/product/apis-integrations/core-data-apis/index.mdx index f72f52a1efbcd..574f24354a177 100644 --- a/docs/content/product/apis-integrations/core-data-apis/index.mdx +++ b/docs/content/product/apis-integrations/core-data-apis/index.mdx @@ -41,6 +41,18 @@ tools][ref-viz-tools]. Some of the features with partial support are listed belo | Nested [folders][ref-folders] | [Microsoft Power BI][ref-powerbi] via the [DAX API][ref-dax-api] | | [Custom time formats][ref-custom-time-formats] | [Playground][ref-playground] and [Workbooks][ref-workbooks] | +## Personal Core Data API Token + +Cube users can generate a personal token to authenticate SQL API connections from +external tools like BI dashboards, notebooks, and SQL clients. Navigate to +Preferences → Personal Core Data API Token and click +Generate Token. + +The token authenticates as that user, so all [groups][ref-groups], +[user attributes][ref-user-attributes], and [data access policies][ref-dap] +are applied to queries made with this token. The page also provides connection +instructions including host, port, and database name for your deployment. + ## Authentication methods Support for authentication methods differ across APIs, integrations, and [visualization @@ -82,4 +94,7 @@ tools][ref-viz-tools]: [ref-preset]: /product/configuration/visualization-tools/superset [ref-playground]: /product/administration/workspace/playground [ref-custom-time-formats]: /product/data-modeling/reference/types-and-formats#custom-time-formats -[ref-workbooks]: /product/exploration/workbooks \ No newline at end of file +[ref-workbooks]: /product/exploration/workbooks +[ref-groups]: /product/administration/users-and-permissions/user-groups +[ref-user-attributes]: /product/administration/users-and-permissions/user-attributes +[ref-dap]: /product/auth/data-access-policies \ No newline at end of file From 94c7cd2f76dcc0aae7565ebcd72b83f758f64fa0 Mon Sep 17 00:00:00 2001 From: Artyom Keydunov Date: Mon, 16 Mar 2026 16:57:19 -0700 Subject: [PATCH 2/3] docs: various changes to the docs (#10503) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * docs: cleanup and updates across documentation - Remove Rollup Designer page and all references - Remove LDAP page and all references - Rename SAML 2.0 to SAML everywhere - Convert availability SuccessBoxes to InfoBoxes with concise wording - Use "plan" instead of "tier" in availability boxes - Remove presentation index page - Remove administration index page - Update SSO page navigation from Team & Security to Admin → Settings - Remove outdated screenshots - Add Creator mode availability on Enterprise plan - Add "Creating a View" step to data modeling getting started - Update Next Steps to link to Explore and Workbooks - Hide Playground from navigation - Add Viewer role to typical usage scenarios - Add redirects for removed pages Made-with: Cursor * docs: update signed embedding documentation to include pre-setting dashboard filters via URL - Added section on pre-setting dashboard filter values using URL parameters. - Updated example URL to demonstrate the new functionality. - Revised theme customization section to focus on dashboard style customization. * docs: add user attributes syncing via SCIM for Entra ID Add section documenting how to sync user attributes from Microsoft Entra to Cube via SCIM, including attribute creation, schema prefix, and mapping configuration. Made-with: Cursor From 9a8a347c1751c686b956f71762ec2e9583e2e530 Mon Sep 17 00:00:00 2001 From: Artyom Keydunov Date: Mon, 16 Mar 2026 16:59:57 -0700 Subject: [PATCH 3/3] docs: update saml docs (#10504) * docs: Update SAML SSO docs for Entra and Okta to match new UI Restructure both guides following the SCIM docs pattern with prerequisites, clear step-by-step sections, and updated field names. Remove all old screenshots. Update Okta docs for new attribute statements UI and SAML setup instructions flow. Made-with: Cursor * docs: Update introduction video URL Made-with: Cursor --- .../sso/microsoft-entra-id/saml.mdx | 160 +++++++------- .../product/administration/sso/okta/saml.mdx | 196 +++++++----------- docs/content/product/introduction.mdx | 2 +- 3 files changed, 156 insertions(+), 202 deletions(-) diff --git a/docs/content/product/administration/sso/microsoft-entra-id/saml.mdx b/docs/content/product/administration/sso/microsoft-entra-id/saml.mdx index e8f90f90541fe..9a48cde5ea4d6 100644 --- a/docs/content/product/administration/sso/microsoft-entra-id/saml.mdx +++ b/docs/content/product/administration/sso/microsoft-entra-id/saml.mdx @@ -1,13 +1,8 @@ -# Microsoft Entra ID +# SAML authentication with Microsoft Entra ID -Cube Cloud supports authenticating users through [Microsoft Entra -ID][ext-ms-entra-id] (formerly Azure Active Directory), which is -useful when you want your users to access Cube Cloud using single sign-on. - -This guide will walk you through the steps of configuring SAML authentication -in Cube Cloud with Entra ID. You **must** have sufficient permissions in your -Azure account to create a new Enterprise Application and configure SAML -integration. +With SAML (Security Assertion Markup Language) enabled, you can authenticate +users in Cube through Microsoft Entra ID (formerly Azure Active Directory), +allowing your team to access Cube using single sign-on. @@ -15,105 +10,104 @@ Available on [Enterprise and above plans](https://cube.dev/pricing). -## Enable SAML in Cube Cloud - -First, we'll enable SAML authentication in Cube Cloud: - -1. Click your username from the top-right corner, then click Team & - Security. - -2. On the Authentication & SSO tab, ensure SAML is - enabled: - - - -Take note of the Single Sign On URL and Service Provider Entity -ID values here, as we will need them in the next step when we configure -the SAML integration in Entra ID. - -## Create a new Enterprise Application in Azure - -Go to [Enterprise Applications](https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview) -in your Azure account and click New application. - - - -Select Create your own application at the top: +## Prerequisites - +Before proceeding, ensure you have the following: -Give it a name and choose a *non-gallery application*: +- Admin permissions in Cube. +- Sufficient permissions in Microsoft Entra to create and configure + Enterprise Applications. - +## Enable SAML in Cube -Go to the Single sign-on section and select SAML: +First, enable SAML authentication in Cube: - +1. In Cube, navigate to Admin → Settings. +2. On the Authentication & SSO tab, enable the SAML + toggle. +3. Take note of the Single Sign-On URL and Audience + values — you'll need them when configuring the Enterprise Application + in Entra. -Fill-in Entity ID and Reply URL from the [SAML -configuration page](#enable-saml-in-cube-cloud) in Cube Cloud: +## Create an Enterprise Application in Entra - +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). +2. Go to [Enterprise Applications](https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview) + and click New application. +3. Select Create your own application. +4. Give it a name and choose a **non-gallery application**, then click + Create. -Go to Attributes & Claims → Edit → Advanced settings: +## Configure SAML in Entra - +1. In your new Enterprise Application, go to the Single sign-on + section and select SAML. +2. In the Basic SAML Configuration section, enter the following: + - **Entity ID** — Use the Single Sign-On URL value from Cube. + - **Reply URL** — Use the Single Sign-On URL value from Cube. +3. Go to Attributes & Claims → Edit → Advanced settings and + set the audience claim override to the Audience value from Cube. +4. Go to SAML Certificates → Edit and select Sign SAML + response and assertion for the Signing Option. +5. Download the Federation Metadata XML file — you'll need it + in the next step. -Set the audience claim override to the value given you by the [SAML -configuration page](#enable-saml-in-cube-cloud) in Cube Cloud: +## Complete configuration in Cube - +Return to the SAML configuration page in Cube and provide the identity +provider details. You can do this in one of two ways: -Go to SAML Certificates → Edit and select Sign SAML response -and assertion for Signing Option: +**Option A: Upload metadata file** - +1. In the Import IdP Metadata section, click Upload + Metadata File. +2. Select the **Federation Metadata XML** file you downloaded from Entra. + This will automatically populate the Entity ID / Issuer, + SSO (Sign on) URL, and Certificate fields. -Download Federation Metadata XML: +**Option B: Enter details manually** - +If you prefer to configure the fields manually, enter the following +values from the Entra Single sign-on page: -## Complete configuration in Cube Cloud +- **Entity ID / Issuer** — Use the Microsoft Entra Identifier + value. +- **SSO (Sign on) URL** — Use the Login URL value. +- **Certificate** — Paste the Base64-encoded certificate from the + SAML Certificates section. -Upload the manifest file through the Advanced Settings tab on the [SAML -configuration page](#enable-saml-in-cube-cloud) in Cube Cloud: +## Configure attribute mappings - +To map user attributes from Entra to Cube, configure the claim URIs +in the SAML settings: -Select SHA-256 as Signature Algorithm: +- Enter the claim URI that corresponds to the user's email address in + the Email attribute field. Common values: + - `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` + - `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` +- To map a role attribute from Entra to an identically-named role + defined in Cube, add the corresponding claim URI to the + Role field. +- You can also map the user's display name in the same manner. - - -Enter the claim URI that corresponds to the user email address in Attributes → Email. This will vary based on your SAML configuration. - -Examples: - -`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` - -`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` - - - -To map a role attribute from Entra ID to an identically-named role defined in Cube, add the claim URI corresponding to role to the Role field in Cube Cloud, similar to above. Note that Admin status cannot be set via SSO. - -You can map the user's display name from Entra ID to Cube in the same manner. - -Save settings on the Cube Cloud side. + -## Final steps +Admin status cannot be set via SSO. To grant admin permissions, update +the user's role manually in Cube under Team & Security. -Make sure the new Azure application is assigned to some users or a group: + - +## Assign users -At the bottom of the Single sign-on section, select Test -and verify that the SAML integration now works for your Cube Cloud account: +Make sure the new Enterprise Application is assigned to the relevant +users or groups in Entra before testing. - +## Test the integration -Done! 🎉 +1. In the Entra Single sign-on section, click Test + to verify the SAML integration works for your Cube account. +2. Alternatively, copy the Single Sign-On URL from Cube, + open it in a new browser tab, and verify you are redirected to + Entra for authentication and then back to Cube. [ext-ms-entra-id]: https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id diff --git a/docs/content/product/administration/sso/okta/saml.mdx b/docs/content/product/administration/sso/okta/saml.mdx index 810413526270a..148d06bc1765d 100644 --- a/docs/content/product/administration/sso/okta/saml.mdx +++ b/docs/content/product/administration/sso/okta/saml.mdx @@ -1,10 +1,8 @@ -# Okta +# SAML authentication with Okta -Cube Cloud supports authenticating users through Okta, which is useful when you -want your users to access Cube Cloud using single sign on. This guide will walk -you through the steps of configuring SAML authentication in Cube Cloud with -Okta. You **must** be an account administrator in your Okta organization to -access the Admin Console and create a SAML integration. +With SAML (Security Assertion Markup Language) enabled, you can authenticate +users in Cube Cloud through Okta, allowing your team to access Cube Cloud +using single sign-on. @@ -12,123 +10,85 @@ Available on [Enterprise and above plans](https://cube.dev/pricing). -## Enable SAML in Cube Cloud - -First, we'll enable SAML authentication in Cube Cloud. To do this, log in to -Cube Cloud and - -1. Click your username from the top-right corner, then click Team & - Security. - -2. On the Authentication & SSO tab, ensure SAML is - enabled: - - - -Take note of the Single Sign On URL and Audience values -here, as we will need them in the next step when we configure the SAML -integration in Okta. - -## Create a SAML Integration in Okta - -Next, we'll create a [SAML app integration for Cube Cloud in -Okta][okta-docs-create-saml-app]. - -1. Log in to your Okta organization as an administrator, then navigate to the - Admin Console by clicking Admin in the top-right corner. - -2. Click Applications > Applications from the navigation on the left - of the screen, then click Create App Integration, then - select SAML and click Next. - - - -3. Enter a name for your application and click Next. You can - optionally upload a logo for the application, but this is not required. - - - -4. Enter the following values in the SAML Settings section: - -| Name | Description | -| --------------------------- | ----------------------------------------------------------- | -| Single sign on URL | Use the Single Sign On URL value from Cube Cloud | -| Audience URI (SP Entity ID) | Use the Audience value from Cube Cloud | - - - -5. Scroll down to the Attribute Statements section and create the - following entries: - -| Name | Name format | Value | -| ------- | ----------- | ---------------- | -| `email` | Basic | `user.email` | -| `name` | Basic | `user.firstName` | +## Prerequisites - +Before proceeding, ensure you have the following: -6. Click Next to go to the Feedback screen, fill in any - necessary details and then Finish to complete the integration: - - - -You should now see your new SAML app integration's details. Click the Sign -On tab: - - - -From under Settings > Sign on methods > SAML, click More -details: - - - -Take note of the Sign on URL, Issuer and Signing -Certificate values, as we will need them in the next step. +- Admin permissions in Cube Cloud. +- Account administrator permissions in your Okta organization to access + the Admin Console and create SAML integrations. ## Enable SAML in Cube Cloud -In this step, we'll finalise the configuration by entering the values from our -SAML integration in Okta into Cube Cloud. - -1. From the same Authentication & SSO > SAML tab, click the - Advanced Settings tab: - - - -2. Enter the following values in the SAML Settings section: - -| Name | Description | -| --------------------------- | ------------------------------------------------------ | -| IdP Issuer (IdP Entity ID) | Use the Issuer value from Okta | -| Identity Provider Login URL | Use the Sign on URL value from Okta | -| Certificate | Use the Signing Certificate value from Okta | - -3. Scroll down and click Save SAML Settings to save the changes. - -## Log in with Okta - -The last step is to start using SAML authentication. To do this, use the -following instructions: - -1. Click your username from the top-right corner, then click Team & - Security. - -2. On the Authentication & SSO tab, scroll down to SAML - and copy the Single Sign On URL value: - - - -3. Open a new browser tab and paste the Single Sign On URL value - into the address bar, then press Enter. You should be redirected - to Okta to log in, and after a successful login, you should be redirected - back to Cube Cloud. +First, enable SAML authentication in Cube Cloud: + +1. In Cube Cloud, navigate to Admin → Settings. +2. On the Authentication & SSO tab, enable the SAML + toggle. +3. Take note of the Single Sign-On URL and Audience + values — you'll need them when configuring the SAML integration in Okta. + +## Create a SAML integration in Okta + +1. Log in to your Okta organization as an administrator, then navigate to + the Admin Console by clicking Admin in the top-right corner. +2. Click Applications → Applications from the navigation on the + left, then click Create App Integration. +3. Select SAML 2.0 and click Next. +4. Enter a name for your application and click Next. +5. Enter the following values in the SAML Settings section: + - **Single sign on URL** — Use the Single Sign-On URL + value from Cube Cloud. + - **Audience URI (SP Entity ID)** — Use the Audience + value from Cube Cloud. +6. Click Next to go to the Feedback screen, fill in + any necessary details and click Finish. + +## Configure attribute statements in Okta + +After the application is created, configure attribute statements to map +user attributes from Okta to Cube Cloud: + +1. In your SAML app integration, go to the Sign On tab. +2. Scroll down to the Attribute statements section. +3. Click Add expression and create the following entries: + +| Name | Expression | +| ------- | ------------------------- | +| `email` | `user.profile.email` | +| `name` | `user.profile.firstName` | + +## Retrieve SAML details from Okta + +Next, retrieve the values you'll need to complete the configuration +in Cube Cloud: + +1. In your SAML app integration, go to the Sign On tab. +2. In the sidebar, click View SAML setup instructions. +3. Take note of the following values from the setup instructions page: + - **Identity Provider Single Sign-On URL** + - **Identity Provider Issuer** + - **X.509 Certificate** + +## Complete configuration in Cube Cloud + +Return to the SAML configuration page in Cube Cloud and provide the +identity provider details: + +- **Entity ID / Issuer** — Use the Identity Provider Issuer + value from Okta. +- **SSO (Sign on) URL** — Use the Identity Provider Single + Sign-On URL value from Okta. +- **Certificate** — Paste the X.509 Certificate from Okta. + +## Test SAML authentication + +1. Copy the Single Sign-On URL from the SAML configuration page + in Cube Cloud. +2. Open a new browser tab and paste the URL into the address bar, then + press Enter. +3. You should be redirected to Okta to log in. After a successful login, + you should be redirected back to Cube Cloud. [okta-docs-create-saml-app]: https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_SAML.htm diff --git a/docs/content/product/introduction.mdx b/docs/content/product/introduction.mdx index 0a32388704ffd..c42fdfbaa5f67 100644 --- a/docs/content/product/introduction.mdx +++ b/docs/content/product/introduction.mdx @@ -9,7 +9,7 @@ Cube is the business intelligence platform powered by the open-source semantic l Cube uses AI agents to build data models and enable data consumers to perform analysis. Use AI to quickly build semantic layer and fully control the analytics context.