Set up SSO with a SAML-based IdP
Configure a SAML-based identity provider
This guide walks through configuring a generic SAML-based identity provider (IdP) for use with Apollo SSO. If you use Okta or Microsoft Entra ID as your IdP, instead see the corresponding guide for your IdP:
Microsoft Entra ID (formerly known as Azure Active Directory)
If you're migrating your SSO configuration, see the self-service instructions .
Setup
SAML-based SSO setup has two main steps:
Create a custom Apollo GraphOS application in your IdP.
Send your application's SAML metadata to Apollo.
These steps generally require administrative access to your IdP.
Step 1. Create a custom application
Send a request to your Apollo contact for Apollo's service provider (SP) SAML information. Include the organization name(s) you are setting SSO up for.
Your Apollo contact will respond with a URL where you can download Apollo's SP SAML XML metadata file(s) for your organization(s). This file contains the following values:
Single Sign-on URL
Entity ID
ⓘ noteSSO metadata values differ for each GraphOS organization. If setting up SSO for multiple organizations, repeat the following steps for each organization using different values.
Create a new application in your SSO environment. While doing so, set the following values:
App Name:
Apollo GraphOS
Logo: Apollo logo (optional)
If your IdP permits it, upload the Apollo-provided SP SAML XML metadata file. Otherwise, open the XML metadata file, view the SAML metadata values, and manually enter them in your IdP.
Set your Single Sign-on URL or ACS URL to the Single Sign-on URL. You can also use this value for the following fields:
Recipient
ACS (Consumer) URL Validator
ACS (Consumer) URL
Set your Entity ID to the Entity ID value.
Set the following user attributes:
sub
:user.email
The
sub
attribute should uniquely identify any particular user to GraphOS. In most cases,user.email
provides this unique mapping.
email
:user.email
given_name
:user.firstName
family_name
:user.lastName
Save your configuration.
Step 2. Send SAML metadata to Apollo
Send your Apollo contact your IdP SAML XML metadata file. If you can't send this file, send one of the following instead:
IdP entity ID
IdP single sign-on URL / SSO URL
IdP x509 certificate
Your Apollo contact will then be able to complete your SSO setup.
Once your SSO setup is live, assign users to your new Apollo GraphOS application in your IdP. For help assigning the relevant groups and users, contact your SSO or Identity & Access Management team.
If team members could previously login before you implemented SSO, they must re-login to GraphOS Studio via SSO. Signing in creates a new user profile for them. Any personal API keys associated with their previous user profile will be lost. (Graph API keys are unaffected and remain functional.) Additionally, you must reassign any GraphOS roles associated with their previous user profile.
Legacy setup
Click to see legacy instructions
- Create a new application in your SSO environment. While doing so, set the following values:
- App Name:
Apollo GraphOS
- App logo: Apollo logo (optional)
- App Name:
- If possible, upload the appropriate Apollo SAML metadata for your organization:
- If your organization does not already use the Entity ID
PingConnect
: apollo_studio_pingconnect_metadata.xml- If authentication requests need to be signed use: apollo_studio_pingconnect_signed_metadata.xml
- If your organization does already use
PingConnect
: apollo_studio_guid_metadata.xml- If authentication requests need to be signed use: apollo_studio_guid_signed_metadata.xml
- If your organization does not already use the Entity ID
- Set your Single Sign on URL or ACS URL to the following:
https://sso.connect.pingidentity.com/sso/sp/ACS.saml2
You can also use this value for the following fields:- Recipient
- ACS (Consumer) URL Validator
- ACS (Consumer) URL
- Set your Entity ID according to the following:
- If your organization does not already use
PingConnect
as an Entity ID, usePingConnect
. - If your organization does already use
PingConnect
, use the following value:fd76e619-6c0a-461c-912d-418278929d60
- If your organization does not already use
- Set your RelayState to the following value:
https://pingone.com/1.0/fd76e619-6c0a-461c-912d-418278929d60
- Set the following user attributes:
sub
:user.email
- The
sub
attribute should uniquely identify any particular user to GraphOS. In most cases,user.email
provides this unique mapping.
- The
email
:user.email
given_name
:user.firstName
family_name
:user.lastName
- Assign users to the Apollo GraphOS application.
- Reach out to your SSO or Identity & Access Management team for help assigning the relevant groups and users to
Apollo GraphOS
.
- Reach out to your SSO or Identity & Access Management team for help assigning the relevant groups and users to
- Send your Apollo contact your identity provider (IdP) SAML XML metadata file.If you can't send this file, send one of the following instead:
- IdP entity ID
- IdP single sign-on URL / SSO URL
- IdP x509 certificate
- Your Apollo contact will complete your SSO setup.