Set up SSO with a SAML-based IdP

Configure a SAML-based identity provider

Single sign-on (SSO) is available only for Dedicated and Enterprise plans. This feature is not available as part of an Enterprise trial.

This guide walks through configuring a generic SAML-based identity provider (IdP) for use with Apollo SSO. If you use Okta or Microsoft Entra ID as your IdP, instead see the corresponding guide for your IdP:

Okta
Microsoft Entra ID (formerly known as Azure Active Directory)

If you're migrating your SSO configuration, see the self-service instructions.

ⓘ NOTE

For organizations using SSO, access to GraphOS is exclusively managed through your IdP. Any invitation links created before SSO setup will be automatically revoked and you won't be able to create new invitation links once SSO is enabled. To give team members access, assign them to the GraphOS application in your IdP.

Setup

ⓘ NOTE

Only GraphOS org admins can configure SSO. Check the Members tab in GraphOS Studio to see your role and which team members are org admins.

SAML-based SSO setup has two main steps:

Create a custom Apollo GraphOS application in your IdP.
Send your application's SAML metadata to Apollo.

These steps generally require administrative access to your IdP.

Step 1. Create a custom application

Send a request to your Apollo contact for Apollo's service provider (SP) SAML information. Include the organization name(s) you are setting SSO up for.
Your Apollo contact will respond with a URL where you can download Apollo's SP SAML XML metadata file(s) for your organization(s). This file contains the following values:
- Single Sign-on URL
- Entity ID
ⓘ NOTE
SSO metadata values differ for each GraphOS organization. If setting up SSO for multiple organizations, repeat the following steps for each organization using different values.

Create a new application in your SSO environment. While doing so, set the following values:
- App Name: Apollo GraphOS
- Logo: Apollo logo (optional)
If your IdP permits it, upload the Apollo-provided SP SAML XML metadata file. Otherwise, open the XML metadata file, view the SAML metadata values, and manually enter them in your IdP.
- Set your Single Sign-on URL or ACS URL to the Single Sign-on URL. You can also use this value for the following fields:
  - Recipient
  - ACS (Consumer) URL Validator
  - ACS (Consumer) URL
- Set your Entity ID to the Entity ID value.
Set the following user attributes:
- sub: user.email
  - The sub attribute should uniquely identify any particular user to GraphOS. In most cases, user.email provides this unique mapping.
- email: user.email
- given_name: user.firstName
- family_name: user.lastName
Save your configuration.

Step 2. Send SAML metadata to Apollo

Send your Apollo contact your IdP SAML XML metadata file. If you can't send this file, send one of the following instead:

IdP entity ID
IdP single sign-on URL / SSO URL
IdP x509 certificate

Your Apollo contact will then be able to complete your SSO setup.

Once your SSO setup is live, assign users to your new Apollo GraphOS application in your IdP. For help assigning the relevant groups and users, contact your SSO or Identity & Access Management team.

Legacy setup

ⓘ NOTE

The below instructions are provided for reference only. Beginning in April 2024, Apollo recommends that all organizations use the updated instructions to create a new SSO connection.

To use multi-organization SSO, your SSO connection cannot use PingOne as shown in the legacy instructions below. Follow the updated instructions to create a new SSO connection.

Microsoft Entra ID