Self-Service SSO with a SAML-based IdP

Configure a SAML-based identity provider


Self-service single sign-on (SSO) is only available for organizations with Dedicated and Enterprise plans who previously set up their SSO using PingOne and need to migrate. If you're unsure if you need to migrate please see the Migration Guide . If you are setting up SSO for the first time, please refer to these instructions .

This guide walks through configuring a generic SAML-based identity provider (IdP) for use with Apollo SSO. If you use Okta or Microsoft Entra ID as your IdP, instead see the corresponding guide for your IdP:

 note
For organizations using SSO, access to GraphOS is exclusively managed through your IdP. Any invitation links created before SSO setup will be automatically revoked and you won't be able to create new invitation links once SSO is enabled. To give team members access, assign them to the GraphOS application in your IdP.
💡 tip
If your organization's SSO was set up before April 2024 according to the legacy instructions , Apollo highly recommends creating a new SSO configuration with the updated instructions .

Prerequisites

Setup requires:

  • A GraphOS user account with the Org Admin role

    • Check the Members tab in GraphOS Studio to see your role and which team members are org admins

  • Administrative access to your IdP

Setup

SAML-based SSO setup has these steps:

  1. Enter your SSO details in GraphOS Studio.
  2. Create a custom application for GraphOS in your IdP.
  3. Share your application's SAML metadata in GraphOS Studio.
  4. Verify and configure OIDC details.
  5. Verify your SSO configuration works.
  6. Enable SSO in GraphOS Studio.

The SSO setup wizard in GraphOS Studio guides you through these steps.

Step 1. Enter your SSO details

  1. Go to GraphOS Studio . Open the Settings page from the top navigation. Open the Security tab from the left sidebar and click Migrate SSO. A setup wizard appears.
  2. Enter the Email domain(s) you are setting SSO up for. Click Continue.
  3. Select SAML as the SSO type. Click Continue.

Step 2. Create a custom application

  1. Once you reach Step 2: Configure Your IdP in the wizard, open your IdP's admin dashboard in a separate browser tab.

  2. Create a new application. While doing so, set the following values:

  3. If your IdP permits it, upload the SAML XML metadata file provided by the GraphOS setup wizard. Otherwise, manually enter the following metadata values in your IdP:

    • Set your Single Sign-on URL or ACS URL to the Single Sign-on URL provided by the wizard. You can also use this value for the following fields:

      • Recipient

      • ACS (Consumer) URL Validator

      • ACS (Consumer) URL

    • Set your Entity ID to the Entity ID value provided by the wizard.

  4. Set the following user attributes:

    • sub: user.email

      • The sub attribute should uniquely identify any particular user to GraphOS. In most cases, user.email or user.mail provides this unique mapping.

    • email: Your IdP's email attribute, often something like user.email

    • given_name: Your IdP's first name attribute, often something like user.firstName

    • family_name: Your IdP's last name attribute,often something like user.lastName

  5. Save the configuration in your IdP.

  6. In the GraphOS setup wizard, select whether your IdP requires signing an AuthnRequest.

  7. Click Next.

Step 3. Share SAML metadata with Apollo

In the GraphOS setup wizard, enter your application's metadata URL or metadata file. Consult your IdP's documentation if you need assistance finding it. Click Next.

Step 4. Verify details

The GraphOS Studio setup wizard populates your SSO metadata based on the URL you entered in the last step. Verify the values are correct. Consult your IdP's documentation if you need assistance finding them.

Once you've verified the values or corrected them, click Next.

Step 5. Verify SSO Configuration

To verify that your SSO configuration works, click Login with new SSO in the GraphOS Studio wizard. This button launches a new login session in a new browser tab. Once you successfully login using your new configuration, click Next.

Step 6. Enable SSO

If team members could previously login before you implemented SSO, they must re-login to GraphOS Studio via SSO. Signing in creates a new user profile for them. Any personal API keys associated with their previous user profile will be lost. (Graph API keys ) are unaffected and remain functional.) Additionally, you must reassign any GraphOS roles associated with their previous user profile.

Assign users in your IdP

Once your SSO setup is live, assign users to your new Apollo GraphOS application in your IdP. Consult your IdP documentation if necessary. For help assigning the relevant groups and users, contact your SSO or Identity & Access Management team.

Legacy setup

⚠️ caution
The below instructions are provided for reference only. Beginning in April 2024, Apollo recommends that all organizations use the updated instructions to create a new SSO connection.If you previously configured SSO using the instructions below and want to use multi-organization SSO you must create a new SSO connection with the updated instructions.
Click to see legacy instructions
  1. Create a new application in your SSO environment. While doing so, set the following values:
  2. If possible, upload the appropriate Apollo SAML metadata for your organization:
  3. Set your Single Sign on URL or ACS URL to the following:https://sso.connect.pingidentity.com/sso/sp/ACS.saml2You can also use this value for the following fields:
    • Recipient
    • ACS (Consumer) URL Validator
    • ACS (Consumer) URL
  4. Set your Entity ID according to the following:
    • If your organization does not already use PingConnect as an Entity ID, use PingConnect.
    • If your organization does already use PingConnect, use the following value: fd76e619-6c0a-461c-912d-418278929d60
  5. Set your RelayState to the following value:https://pingone.com/1.0/fd76e619-6c0a-461c-912d-418278929d60
  6. Set the following user attributes:
    • sub: user.email
      • The sub attribute should uniquely identify any particular user to GraphOS. In most cases, user.email provides this unique mapping.
    • email: user.email
    • given_name: user.firstName
    • family_name: user.lastName
  7. Assign users to the Apollo GraphOS application.
    • Reach out to your SSO or Identity & Access Management team for help assigning the relevant groups and users to Apollo GraphOS.
  8. Send your Apollo contact your identity provider (IdP) SAML XML metadata file.If you can't send this file, send one of the following instead:
    • IdP entity ID
    • IdP single sign-on URL / SSO URL
    • IdP x509 certificate
  9. Your Apollo contact will complete your SSO setup.