Join us from October 8-10 in New York City to learn the latest tips, trends, and news about GraphQL federation and API platform engineering.Join us for GraphQL Summit 2024 in NYC
Start for Free

Set up SSO with an OIDC-based IdP

Configure an OIDC-based identity provider

Single sign-on (SSO) is available only for Dedicated and Enterprise plans. This feature is not available as part of an Enterprise trial.

This guide walks through configuring a generic OpenID Connect (OIDC) based identity provider (IdP) for use with Apollo SSO. If you use Microsoft Entra ID as your IdP, instead see the Entra OIDC guide.


These are the latest instructions (as of April 2024) for setting up SSO for a organization. This new SSO setup is currently in preview.

Though in preview, Apollo recommends using the new setup unless your organization has a strong reason not to. If you have questions, please consult with your Apollo contact.

SSO setup has two main steps:

  1. Create a custom application in your IdP.
  2. Send your application's OIDC metadata to Apollo.

These steps generally require administrative access to your IdP.

Step 1. Create a custom application

  1. Send a request to your Apollo contact to configure an OIDC SSO integration. Include the organization name(s) you are setting up SSO for, and the email domains you want to associate with the organization. Your Apollo contact will respond with:

    • A redirect URI
    • A link to a form where you can submit your SSO information to Apollo. You'll use this form in the last setup step.


    The redirect URI differs for each organization. If setting up SSO for multiple organizations, repeat the following steps for each organization using different values.

  2. Create a new application in your SSO environment. While doing so, set the following values:

    • App Name: Apollo GraphOS
    • App logo: Apollo logo (optional)
  3. Retrieve the following values from your SSO provider and save them in a local text file:

  • Client ID: this should be a specific Application ID
  • Client Secret: a secret value you may need to first create in your IdP
  • Issuer: the issuer value from a OpenID Connect metadata document found in your IdP
  1. If your IdP permits it, set the following user attributes:

    • sub:
      • The sub attribute should uniquely identify any particular user to GraphOS. In most cases, provides this unique mapping.
    • email:
    • given_name: user.firstName
    • family_name: user.lastName

Step 2. Send OIDC metadata to Apollo

To complete the setup, complete the Apollo-provided link from step 1 with the appropriate information and inform your Apollo contact. They will then be able to complete your SSO setup.

Once your SSO setup is live, assign users to your new Apollo GraphOS application in your IdP. For help assigning the relevant groups and users, contact your SSO or Identity & Access Management team.

If team members could previously login before you implemented SSO, they must re-login to GraphOS Studio via SSO. Signing in creates a new user profile for them. Any personal API keys associated with their previous user profile will be lost. (Graph API keys are unaffected and remain functional.) Additionally, you must reassign any GraphOS roles associated with their previous user profile.

Once you've confirmed the new setup works as expected, remove any legacy Apollo GraphOS applications in your IdP.

Microsoft Entra ID
Rate articleRateEdit on GitHubEditForumsDiscord

© 2024 Apollo Graph Inc.

Privacy Policy