Setting up Apollo SSO with a SAML-based IdP
Single sign-on (SSO) is available only for Enterprise plans.
Unlike most Enterprise features, this feature is not available as part of an Enterprise trial.
This guide walks through configuring a generic SAML-based identity provider (IdP) for use with Apollo single sign-on (SSO). These steps require administrative access to your IdP.
ⓘ NOTE
If you use Okta or Azure Active Directory as your identity provider, instead see the corresponding guide for your tool:
Create a new application in your SSO environment. While doing so, set the following values:
- App Name:
Apollo GraphOS - App logo: Apollo logo (optional)
- App Name:
If possible, upload the appropriate Apollo SAML metadata for your organization:
- If your organization does not already use the Entity ID
PingConnect: apollo_studio_pingconnect_metadata.xml- If authentication requests need to be signed use: apollo_studio_pingconnect_signed_metadata.xml
- If your organization does already use
PingConnect: apollo_studio_guid_metadata.xml- If authentication requests need to be signed use: apollo_studio_guid_signed_metadata.xml
- If your organization does not already use the Entity ID
Set your Single Sign on URL or ACS URL to the following:
https://sso.connect.pingidentity.com/sso/sp/ACS.saml2You can also use this value for the following fields:
- Recipient
- ACS (Consumer) URL Validator
- ACS (Consumer) URL
Set your Entity ID according to the following:
- If your organization does not already use
PingConnectas an Entity ID, usePingConnect. - If your organization does already use
PingConnect, use the following value:fd76e619-6c0a-461c-912d-418278929d60
- If your organization does not already use
Set your RelayState to the following value:
https://pingone.com/1.0/fd76e619-6c0a-461c-912d-418278929d60Set the following user attributes:
sub:user.email- The
subattribute should uniquely identify any particular user to GraphOS. In most cases,user.emailprovides this unique mapping.
- The
email:user.emailgiven_name:user.firstNamefamily_name:user.lastName
Assign users to the Apollo GraphOS application.
- Reach out to your SSO or Identity & Access Management team for help assigning the relevant groups and users to
Apollo GraphOS.
- Reach out to your SSO or Identity & Access Management team for help assigning the relevant groups and users to
Send your Apollo contact your identity provider (IdP) SAML XML metadata file.
If you can't send this file, send one of the following instead:
- IdP entity ID
- IdP single sign-on URL / SSO URL
- IdP x509 certificate
Your Apollo contact will complete your SSO setup.