Single Sign-On (SSO) Implementation

  • Updated

Graphite Connect’s preferred single sign on method is SAML. This is a widely adopted standard that most identity providers support.

To set up SAML in Graphite you:

  • Configure the primary domain
  • Download the Service Provider Metadata
  • Create the SAML app in your identity provider using the service provider metadata
  • Download the Identity Provider Metadata
  • Update Graphite with the identity provider details

Configuring in your system

We follow Okta’s guide for creating a new SAML application, which you can find here: https://developer.okta.com/standards/SAML/setting_up_a_saml_application_in_okta/

This document will explain the inputs for each step in the guide and is meant to be used in conjunction with it.

  • Follow steps 1-4 as directed
  • In step 5:
  • In step 6:
  • In step 7:
    • Add 2 attributes
      • First Name
        • Name: firstName
        • Name format: URI Reference
        • Value: user.firstName
      • Last Name
      • Name: lastName
      • Name format: URI Reference
      • Value: user.lastName
  • In step 8: follow as directed and click Finish
  • In step 9:
    • Click on “View Setup Instructions”
    • You will need the following information to complete the configuration in Graphite Connect:
      • Identity Provider Single Sign-On URL
        • EntityDescriptor > IDPSSODescriptor >
          SingleSignOnService[Location]
      • Identity Provider Issuer
        • EntityDescriptor[entityId]
      • X.509 Certificate
        • EntityDescriptor > IDPSSODescriptor > KeyDescriptor >
          KeyInfo > X509Data > X509Certificate >

Configuring in Graphite Connect

Before you can configure Graphite Connect to support SSO, our customer service team must first enable SSO in Graphite and tie your email domains to your Graphite account. The system supports as many domain names as required, but they must be unique and owned by your organization.

Note! 

The Graphite Connect support team can assist if IT team wants to enable and set up SSO on your own, Graphite will need to manually grant user(s) access to the environment first and provision Administrator permission. These users will need to create a password for initial login.

Once the user creates a password and logs in, go to https://app.graphiteconnect.com/admin/company to finish setting up SSO. Role Mapping can also be added and managed on this page.

About the SSO Settings page 

(https://app.graphiteconnect.com/admin/company)

This is how the page looks:

To edit SSO Settings, click on the Blue pencil icon at the top of the page. 

 

Define your company's SAML settings:

Descriptions the SAML settings:

Option Description
Allow Graphite Password Login If set to Yes, users can authenticate with SSO or a password
Automatically provision users If set to Yes, Graphite will create user accounts for users the first time they authenticate via SSO. They will receive a very basic set of permissions.
Include domain in callback URL If set to Yes, Graphite will require the primary domain in the SAML attribute assertion service URL. This allows customers to use NameIDs other than a user’s email address. This should typically be set to Yes.

Disable Authn Context

(for ActiveDirectory)

This disables Authn validation which is often necessary for ActiveDirectory and Azure identity providers.
NameID Format Can usually be left unset or set to Unspecified. Email will require that an email address be used as the NameID.
Logout Redirect URL If set, users will be redirected to this URL when they log out of Graphite, rather than the Graphite login page.

SAML Settings

Once the SAML app is configured in the Identity Provider you can generate the Identity Provider Metadata. These are the fields that Graphite needs from this file:

  • Entity ID
    • Goes in the Identity Provider Issuer field in Graphite
  • Single Sign-on Service URL
    • Goes in the Identity Provider URL field in Graphite
  • X509 Certificate
    • Goes in the Identity Provider Certificate in Graphite

 

If your customer wants to Bookmark Graphite Connect on their internet browser, this URL link will take them directly to their company's SSO page: 

Once fully set up, the direct URL link to your company's single-sign-on page to Graphite Connect is https://app.graphiteconnect.com/api/users/auth/realm/YOUR_DOMAIN_HERE.com

(Note: NEVER use this link in the set up Okta, Azure, etc. management settings pages!)

Was this article helpful?

0 out of 0 found this helpful