Join us from October 8-10 in New York City to learn the latest tips, trends, and news about GraphQL federation and API platform engineering.Join us for GraphQL Summit 2024 in NYC
Start for Free

Set up SAML SSO with Microsoft Entra ID (formerly Azure AD)

Configure Entra ID as your GraphOS organization's identity provider

Single sign-on (SSO) is available only for Dedicated and Enterprise plans. This feature is not available as part of an Enterprise trial.

This guide walks through configuring Microsoft Entra ID (formerly known as Azure Active Directory) as your organization's identity provider (IdP) for SAML-based SSO.


If your organization's SSO was set up before April 2024 according to the legacy instructions, Apollo highly recommends creating a new SSO configuration with the updated instructions.


These are the latest instructions (as of April 2024) for setting up SSO for a organization. This new SSO setup is currently in preview.

Though in preview, Apollo recommends using the new setup unless your organization has a strong reason not to. If you have questions, please consult with your Apollo contact.

SAML-based SSO setup has two main steps:

  1. Create an enterprise application for in Entra ID.
  2. Send your Entra ID's application's SAML metadata to Apollo.

Setup requires at least a Cloud Application Administrator role.

Step 1. Create an enterprise application

  1. Send a request to your Apollo contact for Apollo's service provider (SP) SAML information. Include the organization name(s) you are setting SSO up for.

    Your Apollo contact will respond with a URL where you can download Apollo's SP SAML XML metadata file(s) for your organization(s). This file contains the following values:

    • Single Sign-on URL
    • Entity ID


    SSO metadata values differ for each GraphOS organization. If setting up SSO for multiple organizations, repeat the following steps for each organization using different values.

  1. Go to your Microsoft Entra admin center. Alternatively, you can sign in to the Azure Portal and then navigate to Microsoft Entra ID.

  2. Go to Identity > Applications > Enterprise applications and select +New application in the top menu.

  3. In the top menu, select +Create your own application.

  4. Enter Apollo GraphOS as the name of your app. Below, keep the Integrate any other application you don't find in the gallery (Non-gallery) option selected. Click Create.

    Application creation in Microsoft Entra ID
  5. On the app's Overview page, select 2. Set up single sign-on. You'll assign users and groups later.

  6. On the app's Single sign-on page, select SAML as the single sign-on method.

  7. At the top of the SAML-based Sign-on page, click Upload metadata file and upload the file provided by your Apollo contact. Alternatively, you can enter these values manually in the Basic SAML Configuration section:

    • Identifier (Entity ID): Entity ID value provided by Apollo
    • Reply URL (Assertion Consumer Service URL): Single Sign-on URL provided by Apollo

    Click Save.

  8. In Attributes & Claims, ensure the following claim names have the corresponding source attributes:

    • email: user.mail
    • given_name: user.givenname
    • family_name: user.surname
    • sub: user.userprinicipalname

    Otherwise, manually enter them.

    Application creation in Microsoft Entra ID

    Claims do not need a Namespace.

    Application creation in Microsoft Entra ID
  9. Under SAML Certificates, copy the App Federation Metadata URL into a text file for the next step.

Application creation in Microsoft Entra ID

Step 2. Send SAML metadata to Apollo

Send your Apollo contact the App Federation Metadata URL you previously copied. They will then be able to complete your SSO setup.

Once your SSO setup is finalized, you need to assign users to your GraphOS app in Entra.

Assign users in Entra ID

Once you've set up your Apollo GraphOS application in Entra ID, you need to assign users to it so they can access GraphOS. You can assign individual users or groups from the User and groups page of your Apollo GraphOS application in Entra ID.

You may want to begin by adding yourself individually and then testing SSO by clicking Test at the bottom of the Single sign-on page.

SSO testing in Microsoft Entra ID

Once you've successfully tested your own user's ability to use SSO, add any applicable users or groups.

If team members could previously login before you implemented SSO, they must re-login to GraphOS Studio via SSO. Signing in creates a new user profile for them. Any personal API keys associated with their previous user profile will be lost. (Graph API keys are unaffected and remain functional.) Additionally, you must reassign any GraphOS roles associated with their previous user profile.

Once you've confirmed the new configuration works for your users, remove any legacy Apollo GraphOS applications in Entra ID or app registrations in Azure AD if you have them.

Legacy setup


The below instructions are provided for reference only. Beginning in April 2024, Apollo recommends that all organizations use the updated instructions to create a new SSO connection.

If you previously configured SSO using the instructions below and want to use multi-organization SSO you must create a new SSO connection with the updated instructions.

Generic SAML Setup
Rate articleRateEdit on GitHubEditForumsDiscord

© 2024 Apollo Graph Inc.

Privacy Policy