Self-Service SAML SSO with Okta
Configure Okta as your GraphOS organization's identity provider
Self-service single sign-on (SSO) is only available for organizations with Dedicated and Enterprise plans who previously set up SSO with PingOne and need to migrate. If you're unsure if you need to migrate please see the Migration Guide. If you're setting up SSO for the first time, please refer to these instructions.
This guide walks through configuring Okta as your GraphOS organization's identity provider (IdP) for SAML-based SSO. Once you've set up your integration, you need to assign users to it in Okta so they can access GraphOS Studio via SSO.
ⓘ NOTE
For organizations using SSO, access to GraphOS is exclusively managed through your IdP. Any invitation links created before SSO setup will be automatically revoked and you won't be able to create new invitation links once SSO is enabled. To give team members access, assign them to the GraphOS application in your IdP.
Migration notes
⚠️ CAUTION
If your organization's SSO was set up before April 2024, you must create a new SSO configuration with the updated instructions before November 15, 2024. After November 15, 2024, the legacy configuration will no longer work, and your organization will lose access to GraphOS if you haven't created a new configuration.
To migrate from a legacy configuration, a GraphOS Org Admin must create a new SSO configuration. You can create a new configuration while the legacy configuration continues to provide SSO for your organization.
The GraphOS setup wizard takes you through the configuration process, step-by-step. It won't let you activate your new configuration until it has confirmed that you're able to sign in with it.
Once the new configuration is verified and active, you should remove any legacy configurations from your IdP.
Prerequisites
Setup requires:
- A GraphOS user account with the Org Admin role
- Check the Members tab in GraphOS Studio to see your role and which team members are org admins
- Administrative access to your IdP
Setup
SAML-based SSO setup has these steps:
- Enter your SSO details in GraphOS Studio.
- Create a custom Okta app integration for GraphOS.
- Share your Okta app integration's SAML metadata in GraphOS Studio.
- Verify and configure OIDC details.
- Verify your SSO configuration works.
- Enable SSO in GraphOS Studio.
The SSO setup wizard in GraphOS Studio guides you through these steps.
Step 1. Enter your SSO details
- Go to GraphOS Studio. Open the Settings page from the top navigation. Open the Security tab from the left sidebar and click Migrate SSO. A setup wizard appears.
- Enter the Email domain(s) you are setting SSO up for. Click Continue.
- Select SAML as the SSO type. Click Continue.
Step 2. Create a custom Okta app integration
Once you reach Step 2: Configure Your IdP in the wizard, open your Okta Administrator Dashboard in a separate browser tab.
In your Okta Administrator Dashboard, go to the Applications view and click Create App Integration.
ⓘ NOTE
To use the latest version of Apollo's SSO, ensure you create a custom app integration in Okta rather than use the GraphOS app in the Okta Application Network.
In the dialog that appears, select SAML 2.0 as your sign-in method. Click Next.
The Create SAML Integration dialog appears. In the General Settings step, provide the following values:
- App integration name:
Apollo GraphOS
- Logo: Apollo logo (optional)
Then click Next.
- App integration name:
In the Configure SAML step, provide the following values:
- Single sign on URL: Single sign-on URL provided by the setup wizard
- Also check Use this for Recipient URL and Destination URL.
- Audience URI (SP Entity ID): Entity ID provided by the setup wizard
- Leave the default values for other settings, including leaving the RelayState blank.
- Single sign on URL: Single sign-on URL provided by the setup wizard
Still in the Configure SAML step, scroll down to Attribute Statements. Set values for the following attributes:
sub
:user.email
email
:user.email
given_name
:user.firstName
family_name
:user.lastName
Leave the Name format as
Unspecified
.Then click Next.
In the Help Okta Support understand how you configured this application step, select I'm an Okta customer adding an internal app. Click Finish.
In the setup wizard in GraphOS Studio, select whether your Okta implementation requires signing an AuthnRequest.
Click Next.
Step 3. Share SSO metadata with Apollo
In your Okta Administrator Dashboard, go to the Sign On > Settings > SAML 2.0 > Metadata details section in the app integration you just created.
Copy and paste the contents of the Metadata URL text box into the setup wizard in GraphOS Studio. Once the wizard shows the green success banner that says Successfully parsed SAML metadata, click Next.
Step 4. Verify details
The GraphOS Studio setup wizard populates your SSO metadata based on the URL you entered in the last step. Verify the values are correct.
You can find your EntityID and SSO URL in your Okta Administrator Dashboard in the app integration you created for GraphOS.
- Your app integration's Entity ID is in the Sign On tab. Scroll down to the SAML 2.0 section and look for a field labeled Issuer. (You may need to click More details to see it.) This field contains the Entity ID. It uses a URL format:
http://www.okta.com/<unique-id>
. - The SSO URL is also in the SAML 2.0 section in a field labeled Sign on URL.
Once you've verified the values or corrected them, click Next.
Step 5. Verify SSO Configuration
To verify that your SSO configuration works, click Login with new SSO in the GraphOS Studio wizard. This button launches a new login session in a new browser tab. Once you successfully login using your new configuration, click Next.
Step 6. Enable SSO
In the setup wizard, click the Complete button to finalize setup.
Once you click Complete, all users will be logged out of your organization, and will need to sign in again from https://studio.apollographql.com/login using SSO. To give them access, ensure you've assigned them to your new custom app integration in Okta.
Once you've confirmed the new configuration works as expected, remove any legacy Apollo applications in Okta if you have them.
Assign users in Okta
Once your SSO is set up, you need to assign users to it so they can access GraphOS. You can assign individual users or groups by following these steps:
From your Okta Administrator Dashboard, open the Applications view from the left menu and open the Apollo GraphOS integration. Then, click the Assignments tab.
Click the Assign drop-down and then Assign to People or Assign to Groups.
Click Assign on the right of the people or group(s) you want to have access to your GraphOS Studio Org. Click Done.
Repeat these steps whenever you want to grant GraphOS Studio access to a new user or group. Okta displays every user and group you've assigned to the integration in the Assignments tab.