Single Sign-On (SSO) Implementation

  • Updated

Graphite Connect’s preferred single sign-on method is SAML. This is a widely adopted standard that most identity providers support.

To set up SAML in Graphite you:

  • Configure the primary domain
  • Download the Service Provider Metadata
  • Create the SAML app in your identity provider using the service provider metadata
  • Download the Identity Provider Metadata
  • Update Graphite with the identity provider details

Configuring in your system

We follow Okta’s guide for creating a new SAML application, which you can find here: https://developer.okta.com/standards/SAML/setting_up_a_saml_application_in_okta/

This document will explain the inputs for each step in the guide and is meant to be used in conjunction with it.

  • Follow steps 1-4 as directed
  • In step 5:
  • In step 6:
  • In step 7:
    • Add 2 attributes
      • First Name
        • Name: firstName
        • Name format: URI Reference
        • Value: user.firstName
      • Last Name
      • Name: lastName
      • Name format: URI Reference
      • Value: user.lastName
  • In step 8: follow as directed and click Finish
  • In step 9:
    • Click on “View Setup Instructions”
    • You will need the following information to complete the configuration in Graphite Connect:
      • Identity Provider Single Sign-On URL
        • EntityDescriptor > IDPSSODescriptor >
          SingleSignOnService[Location]
      • Identity Provider Issuer
        • EntityDescriptor[entityId]
      • X.509 Certificate
        • EntityDescriptor > IDPSSODescriptor > KeyDescriptor >
          KeyInfo > X509Data > X509Certificate >

Configuring in Graphite Connect

Before you can configure Graphite Connect to support SSO, our customer service team must first enable SSO in Graphite and tie your email domains to your Graphite account. The system supports as many domain names as required, but they must be unique and owned by your organization.

‼️Before your IT Admin can manage this via self-serve, Graphite will need to manually grant user(s) access to the environment and provision IT Admin permission. These users will need to create a password for initial login.

Once the user creates a password and logs in, go to https://app.graphiteconnect.com/admin/company to finish setting up SSO. 

 

About the SSO Settings page 

(https://app.graphiteconnect.com/admin/company)

This is how the page looks:

To edit SSO Settings, click on the Blue pencil icon at the top of the page. 

 

Available Configurations

 

 

Option Description
Allow Graphite Password Login If set to Yes, users can authenticate with SSO or a password
Automatically provision users If set to Yes, Graphite will create user accounts for users the first time they authenticate via SSO. They will receive a very basic set of permissions.
Include domain in callback URL If set to Yes, Graphite will require the primary domain in the SAML attribute assertion service URL. This allows customers to use NameIDs other than a user’s email address. This should typically be set to Yes.

Disable Authn Context

(for ActiveDirectory)

 This disables Authn validation which is often necessary for ActiveDirectory and Azure identity providers.
NameID Format Can usually be left unset or set to Unspecified. Email will require that an email address be used as the NameID.
Logout Redirect URL If set, users will be redirected to this URL when they log out of Graphite, rather than the Graphite login page.

 

Role Mapping

User permissions can be managed through Graphite Connect or via your internal identity provider. Leveraging groups from your existing identity provider ensures that existing controls are maintained, which is a benefit for your audit teams.

When Role Mapping is used, Graphite Connect updates the user permissions upon logging in. User permissions are always based on what is sent via SAML per the mapping in Graphite Connect. This means that if you use Role Mapping, user permissions cannot be set via the Users admin page.

‼️Role Mapping is a prerequisite for all SCIM integrations.

This requires two pieces of information:

  1. SAML Role Attribute Name - in the sample below, the attribute is titled "group". This is the attribute that will send the associated details when the user logs in.
  2. Identity Provider Role Name - these are the list of "groups" used in your identity provider system. 
    • You can leverage existing groups or create new ones for use in Graphite Connect
    • Each Identity Provider Role Name will be mapped to 1+ roles in Graphite Connect - the Graphite Role Name; roles include Permissions, Topics, and Custom User Groups
    • Users who are associated with more than one group will have all roles that are associated with each of the groups
    • Work with your Implementation Consultant or Customer Success Manager to identify the best way to manage role mapping
    • Note: User Group segmentation is managed directly in the User Group and not via SSO Role Mapping 



 

SAML Settings

Once the SAML app is configured in the Identity Provider you can generate the Identity Provider Metadata. These are the fields that Graphite needs from this file:

  • Entity ID
    • Goes in the Identity Provider Issuer field in Graphite
  • Single Sign-on Service URL
    • Goes in the Identity Provider URL field in Graphite
  • X509 Certificate
    • Goes in the Identity Provider Certificate in Graphite

Once fully set up, the direct URL link to your company's single-sign-on page to Graphite Connect is https://app.graphiteconnect.com/api/users/auth/realm/YOUR_DOMAIN_HERE.com

(Note: NEVER use this link in the set up Okta, Azure, etc. management settings pages!)

Was this article helpful?

0 out of 1 found this helpful