Skip to main content
Provide more functionality to your external customers by empowering them to create, edit, save, and share their own content from the embedded experience. The most advanced companies integrate the full power of the platform. Domo Everywhere allows you to share the rich data experience of the entire Domo platform — any data, application, or visualization — packaged together for your customers and partners that aligns with your brand and while maintaining the ability to easily govern and distribute at scale. You decide what tools and capabilities to enable. Start with the majority of your functionality already built so you can focus on your expertise.
Your most strategic customers and partners demand more than dashboards. OEM all of Domo in your interface so your partners and customers can:
  • Create totally new content
  • Create their own alerts
  • Schedule their own reports
  • Connect their own data
  • Transform both sides together

Domo Identity Broker


What does the Domo Identity Broker do?

The Domo Identity Broker allows you to have one entity they can authenticate users against. The Identity Broker will then route that user to the appropriate Domo environment and authenticate them as a user. The identity broker can accept a variety of different authentication methods to make it easy for our customer to leverage their existing infrastructure. See basic architecture diagram below.

Supported Technologies

The Domo Identity Broker supports SAML2, OIDC, JWT or OAuth2.

Configuration and Deployment Steps

Reach out to your CSM and be prepared to supply the following information:
  • URL to your Domo instance
  • Desired authentication mechanism(s): SAML2, OIDC, JWT or OAuth2
  • Attribute that will be used to route a user to an end customer account
  • Mappings of attributes to end customer accounts
Once you’ve submitted that information, you will receive the following items:
  • URL of the Identity Broker
  • A cert used by the Domo End Customer Accounts to accept SAML assertions from the Domo Identity Broker
  • A secret that needs to be used to sign the JWT
Configuration of the initial End Customer Account:
  • The End Customer Account needs to have SSO configured to allow the Domo Identity Broker to serve as the IDP for that environment
  • Navigate to the instance -> Admin -> Security -> SSO -> Manual Configuration
  • Identity provider endpoint URL is the URL for the Identity Broker
  • Entity ID is the URL for the Identity Broker
  • Please upload the provided certificate
  • Ensure you select the “Use SAML Relay State to redirect” box

Authenticating using a JWT (JSON Web Token)

JWT’s can be sent to the Domo Identity Broker as a GET parameter (in the URL) or a POST parameter (in the post body). A quick way for validation is to send a URL parameter to the Identity Broker URL, followed by /JWT?token={token}. You can also pass a destination parameter in the URL, which will determine which page is loaded (assuming you want to load something beyond the default landing page). Example:
https://modocorp-idp.domo.com/jwt?token={token}&destination=/page/{page_id}
The minimum items required in the payload are:
  • Sub (email address)
  • User attribute key (lookup to tie the user to an end customer account)
  • Exp (JWT expiration in EPOCH time)
  • JTI (Unique string to identify this JWT. Recommended to use a UUID.)
In addition to the required items you can also include the following option attributes which can be used by Domo. These can be used in dynamic PDP policies, for group assignments and to complete the users profile within Domo:
  • Alternate email – A secondary contact email for the user.
  • Role – The role of the user at each login. The role must match exactly a valid role in the Domo instance.
  • Employee ID – Must be alphanumeric
  • Hire Date – Format: YYYY-MM-DD
  • Title – Example: Retail Team Lead
  • Department – Example: Sales
  • Location – Example: Salt Lake City, UT
  • Mobile phone
    • Accepts any combination of numbers and the characters +()-x.
    • Example: +1 (555) 555-5555 x 5555
  • Desk phone – Accepts any combination of numbers and the characters +()-x.
    • Example: +1 (555) 555-5555 x 5555
  • Locale – Sets the preferred language, metrics and formatting in Domo. Valid values include:
    • de-DE,
    • de-AT,
    • de-CH,
    • en-AU,
    • en-CA,
    • en-150,
    • en-HK,
    • en-IE,
    • en-IL,
    • en-MO,
    • en-NZ,
    • en-SG,
    • en-GB,
    • en-US,
    • en-001,
    • es-419,
    • es-ES,
    • es-US,
    • es-MX,
    • fr-BE,
    • fr-CA,
    • fr-FR,
    • fr-CH,
    • ja-JP,
    • zh-CN,
    • zh-Hans-HK,
    • zh-Hans-MO,
    • zh-Hans-SG
  • Timezone – Example: America/Denver or Asia/Tokyo. For a full list of valid timezone settings, see this article: timezones
  • Group – A list of XML escaped strings
The payload must be signed using the provided secret and be encoded using an HS algorithm (we encourage HS256). A great site for learning more about JWT’s, creating them for testing purposes and finding access to different code repositories for creating and signing JWT’s is jwt.io Sample JWT payload:
{
  "sub": "alex.lee@modocorp.co",
  "name": "Alex Lee",
  "customer_id": 1000,
  "groups": ["a", "b", "c"],
  "exp": 1716239022
}

Authenticating using SAML2

When using SAML2 to authenticate against the Domo Identity Broker the following details are required for configuration of the IDP:
  • SAML Assertion Endpoint URL: {{identitybrokerURL}}/auth/saml
Once the configuration is completed in the IDP, you need to provide your technical resource at Domo with the following details from your IDP:
  • Identity Provider Endpoint URL
  • Entity ID
  • X.509 certificate

Managing Instance Mapping

There are two ways to manage instance mappings in the Identity Broker:
  1. Webform Dataset within the Main Instance
    • Update the Dataset: If your mappings are managed through a Domo webform dataset within your main instance, you can create a support ticket to restart the mapping. This allows the changes made to the webform dataset to take effect in the Identity Broker.
  2. Excel Sheet Managed by Engineering:
    • Engineering Control: Alternatively, if your mappings are maintained in an Excel sheet managed by engineering, you will need to contact support and provide the new instances and their corresponding IDs. Engineering will manually update the mappings for you.
Both methods mentioned above require a support ticket to restart the mapping process and ensure that the changes made in the webform dataset or Excel sheet take effect within the Identity Broker.

Next Steps


For more information also see the Domo Knowledge Base. In particular, this article on Routing, Creation, and Mapping may be helpful.