Docs portal

Prepare for data.world

Configure your network

When connecting your data systems to data.world, often your system or firewall may have a network policy that only allows access from specific IP addresses--your allowlist. In those cases, you need to add data.world to your network policy IP allowlist.

Allowlist for data.world

Allow the following IP addresses:

  • 52.3.83.134

  • 52.205.195.10

  • 52.205.207.86

Other IP addresses required to use data.world

We occasionally see company firewalls that block some of the functionality on data.world, including, but not limited to, uploading files to the platform. If you suspect this is the case, we recommend contacting your network administrator to allow the following domains:

  • dataworld-uploads-p-us-east-1.s3-accelerate.amazonaws.com

  • dataworld-uploads-p-us-east-1.s3-accelerate.amazonaws.com

  • uploads.data.world

  • *.filepicker.io

  • *.filepicker.com

If your firewall doesn't support wildcards, allow the following:

  • dataworld-uploads-p-us-east-1.s3-accelerate.amazonaws.com

  • dataworld-uploads-p-us-east-1.s3.amazonaws.com

  • uploads.data.world

  • filepicker.io

  • www.filepicker.io

  • api.filepicker.io

  • dialog.filepicker.io

  • developers.filepicker.io

  • cdn.filepicker.io

  • process.filepicker.io

  • www.filepicker.com

Tip

If you're not sure the issues you're experiencing are due to firewall restrictions, try performing the same tasks on a different network, such as your home internet connection.

Change Log
  • As of January 3, 2020 (52.3.83.134, 52.205.195.10, 52.205.207.86)

SAML and data.world

If your organization uses a SAML 2.0 compliant single sign-on (SSO) provider, you can configure a new SSO application with that provider (e.g., Okta, ADFS) to authorize access to your organization’s data. Once configured, all members of your organization will need to verify their identity through SSO before accessing data.world resources.

Prerequisites

In order to use single sign-on with SAML and data.world you will need the following:

  • A SAML-enabled data.world organization (requested from Client Success or Support)

  • An administrator login for the organization

  • A SAML 2.0-compliant identity provider

SAML application configuration

The first thing you will need to do is create a SAML application for data.world. You will need the following configuration information to create this application:

  • Logo image - This is the logo image for data.world and it is found at https://query.data.world/s/opnoxp22o7tdd4k2yi4skd2bkvxbmu

  • Single Sign-on URL/Assertion URL - The specific data.world URL that SAML assertions should be sent to: https://data.world/sso/acs/{organization_id}. Replace {organization_id} with your organization's id which can be found in the URL of the organization homepage. For example the organization's ID for https://data.world/organization/nightowlcorp would be nightowlcorp , and https://data.world/organization/democorp would be democorp.

  • Audience URI/Entity ID - The unique SP identifier that dictates the entity or audience for which the SAML Assertion is intended: https://data.world/sso/metadata

  • Additional attribute statements - These are used to help identify the user and are composed of an Attribute Name and a Name Format. We require firstName , lastName, and email.

    The Name Format for data.world is Unspecified. Examples of the Attribute Names for Okta and ADFS are as follows:

    • For Okta:

      • user.firstName - firstName

      • user.lastName - lastName

      • user.email - email

    • For ADFS (no namespace URI):

      • user.givenName - firstName

      • user.surname - lastName

      • user.mail - email

Setup on data.world

Follow these steps to configure data.world to use SAML:

Note

An administrator role in the organization on data.world is required to make these changes.

  1. Go to the organization home page and select the Settings tile:

    Org_home_page_for_SAML.png
  2. Select the Settings tab and the Security menu item on the left, then check the box to enable SAML. If you don’t see a Security tab, contact your data.world representative to enable it for you:

    Org_settings_security.png
  3. Enter the information requested and select Test SAML configuration.

  4. Click “Save” if the test is successful. It may take a few minutes for the change to take effect for all org members.

Note

When you enable SSO for an organization, members of that organization will need to validate through the SSO provider to access any pages on data.world, not just the organization’s.

All users of the organization will have their personal API tokens reset when SSO is enabled.

  • If they have integrations (such as Python) set up with this token, they will need to update the token within the integration.

  • If they have saved any query results as tables within data.world, they will not be able to sync those tables.  They will need to delete the tables and re-save the query results as a new table.

Using Just In Time (JIT) account provisioning

Just In Time (JIT) account provisioning is an optional feature that creates an SSO login portal to your organization on data.world. When this feature is enabled, you will have a SSO-enabled login page created at https://data.world/{your organization}/login.

jit-login.png

If someone has the data.world app assigned to them in their SSO provider profile but does not yet have a data.world account:

  • a new data.world account will be created for them automatically when they click the link on this page

  • their data.world username will be firstname-lastname, based on the name that exists in their SSO profile

  • they will not be given a password - they will need to login using the same login page in the future and authenticate via SSO

  • they will be granted membership to the organization on data.world with the Member level of organization membership

If someone has the data.world app assigned to them in their SSO provider profile, has a data.world account, and is a member of the organization:

  • they will be logged into data.world if they have validated recently through the SSO provider

  • if they haven't validated through the SSO provider recently, they will be redirected to the SSO provider's login page, and then redirected to data.world upon completion of the SSO login

  • they will land on the data.world organization's homepage (as opposed to their individual account's homepage) upon login

If someone has the data.world app assigned to them in their SSO provider profile, has a data.world account, and is NOT a member of the organization on data.world:

  • they will be logged into data.world, but redirected to their individual homepage.

  • they will not be granted automatic membership to the organization

  • an admin of the organization on data.world will need to manually invite them to the organization

  • this case occurs when someone signs up for a data.world account before SSO is enabled for their organization, or if they create an account on data.world without using the special login page described at the top of this section

If someone does not have the data.world app assigned to them in the SSO provider profile:

  • an SSO provider admin will need to add the data.world app to the user's SSO provider profile

  • after data.world is added SSO to the provider profile, they will be able to create a new account through the login page described in this section

Troubleshooting

When implementing SAML with data.world watch out for:

  • If the Single Sign-on URL/Assertion URL ( https://data.world/sso/acs/{organization_id} ) was entered improperly in the SSO provider’s configuration, users will experience a 404 page or a sign-on loop when trying to access data.world.

Multi-organization models

Companies with multiple departments or divisions using data.world may choose to create more than one organization. Reasons for doing this include:

  • You don't want to provide visibility of certain datasets to the entire organization

  • You want to provide the entire company visibility of each division's business glossary, but grant Admin privileges to each business glossary separately

Top-down model

In the top-down model, the main corporate organization adds each department's organization as a member.

Note

It is permissible for one person to be a member of multiple department organizations. If those organizations provide different levels of access to the corporate organization, the individual will be granted the higher level of access.

Key features
  • Membership to the main corporate organization can be granted to individuals directly or through their membership in department orgs

  • Different departments can be granted different levels of access over resources owned by the main corporate org(e.g everyone in a 'Governance' org can be given Admin access to the corporate org)

  • Resources owned at the department level must be explicitly shared company wide - there's greater control over which other departments can see them

  • Removing members from the corporate organization does not revoke access to department organizations

Limitations
  • When the main corporate organization has multiple Collections, administrators have control over all Collections

orgs-top-down.png
Bottom-up model

In the bottom-up model, each department's organization adds the main corporate organization as a member.

Key features
  • Each department can have its own Collection catalog with a unique administrator

  • Resources owned at the department-level are visible company wide

  • When a member is removed from the corporate organization, they also lose the inherited view access to each department organization

  • Can be used for department organizations that include contractors, clients, or others that should not have access to corporate resources - those third parties can be given view access to only the department

orgs-bottom-up.png
Hybrid models

Top-down and bottom-up structures are not mutually exclusive. A company could use a top-down structure for the majority of its work, but also create a single org with a bottom-up structure for sharing client work with clients.