Setting up Apollo SSO with a SAML-based IdP
⚠️ Single sign-on (SSO) is available only for Enterprise plans.
This guide walks through configuring a generic SAML-based identity provider (IdP) for use with Apollo single sign-on (SSO). These steps require administrative access to your IdP.
If you use Okta or Azure Active Directory as your identity provider, instead see the corresponding guide for your tool:
-
Create a new application in your SSO environment. While doing so, set the following values:
- App Name:
Apollo GraphOS - App logo: Apollo logo (optional)
- App Name:
-
If possible, upload the appropriate Apollo SAML metadata for your organization:
- If your organization does not already use the Entity ID
PingConnect: apollo_studio_pingconnect_metadata.xml - If your organization does already use
PingConnect: apollo_studio_guid_metadata.xml
⚠️ If your organization requires Authn requests to be signed, please inform your Apollo contact. They will provide a different metadata file.
- If your organization does not already use the Entity ID
-
Set your Single Sign on URL or ACS URL to the following:
https://sso.connect.pingidentity.com/sso/sp/ACS.saml2You can also use this value for the following fields:
- Recipient
- ACS (Consumer) URL Validator
- ACS (Consumer) URL
-
Set your Entity ID according to the following:
-
If your organization does not already use
PingConnectas an Entity ID, usePingConnect. -
If your organization does already use
PingConnect, use the following value:fd76e619-6c0a-461c-912d-418278929d60
-
-
Set your RelayState to the following value:
https://pingone.com/1.0/fd76e619-6c0a-461c-912d-418278929d60 -
Set the following user attributes:
- sub:
user.email- The sub attribute should uniquely identify any particular user to GraphOS. In most cases,
user.emailprovides this unique mapping.
- The sub attribute should uniquely identify any particular user to GraphOS. In most cases,
- email:
user.email - given_name:
user.firstName - family_name:
user.lastName
- sub:
-
Assign users to the Apollo GraphOS application.
- Reach out to your SSO or Identity & Access Management team for help assigning the relevant groups and users to
Apollo GraphOS.
- Reach out to your SSO or Identity & Access Management team for help assigning the relevant groups and users to
-
Send your Apollo contact your identity provider (IdP) SAML XML metadata file.
If you can't send this file, send one of the following instead:
- IdP entity ID
- IdP single sign-on URL / SSO URL
- IdP x509 certificate
-
Your Apollo contact will complete your SSO setup.