Graphite Connect’s preferred single sign on method is SAML. This is a widely adopted standard that most identity providers support.
To set up SAML in Graphite you:
- Configure the primary domain
- Download the Service Provider Metadata
- Create the SAML app in your identity provider using the service provider metadata
- Download the Identity Provider Metadata
- Update Graphite with the identity provider details
Configuring in your system
We follow Okta’s guide for creating a new SAML application, which you can find here: https://developer.okta.com/standards/SAML/setting_up_a_saml_application_in_okta/
This document will explain the inputs for each step in the guide and is meant to be used in conjunction with it.
- Follow steps 1-4 as directed
- In step 5:
- For the App name, enter: Graphite Connect
- For the Logo, you can use:
https://storage.googleapis.com/pg-public/g_header_logo_big.png
- In step 6:
- Sign on URL:
https://app.graphiteconnect.com/api/users/saml/callback - Audience URI:
https://app.graphiteconnect.com/api/users/saml/callback - Name ID format: EmailAddress
- Application username: Email
- Sign on URL:
- In step 7:
- Add 2 attributes
- First Name
- Name: firstName
- Name format: URI Reference
- Value: user.firstName
- Last Name
- Name: lastName
- Name format: URI Reference
- Value: user.lastName
- First Name
- Add 2 attributes
- In step 8: follow as directed and click Finish
- In step 9:
- Click on “View Setup Instructions”
- You will need the following information to complete the configuration in Graphite Connect:
- Identity Provider Single Sign-On URL
- EntityDescriptor > IDPSSODescriptor >
SingleSignOnService[Location]
- EntityDescriptor > IDPSSODescriptor >
- Identity Provider Issuer
- EntityDescriptor[entityId]
- X.509 Certificate
- EntityDescriptor > IDPSSODescriptor > KeyDescriptor >
KeyInfo > X509Data > X509Certificate >
- EntityDescriptor > IDPSSODescriptor > KeyDescriptor >
- Identity Provider Single Sign-On URL
Configuring in Graphite Connect
Before you can configure Graphite Connect to support SSO, our customer service team must first enable SSO in Graphite and tie your email domains to your Graphite account. The system supports as many domain names as required, but they must be unique and owned by your organization.
Note!
The Graphite Connect support team can assist if IT team wants to enable and set up SSO on your own, Graphite will need to manually grant user(s) access to the environment first and provision Administrator permission. These users will need to create a password for initial login.
Once the user creates a password and logs in, go to https://app.graphiteconnect.com/admin/company to finish setting up SSO. Role Mapping can also be added and managed on this page.
About the SSO Settings page
(https://app.graphiteconnect.com/admin/company)
This is how the page looks:
To edit SSO Settings, click on the Blue pencil icon at the top of the page.
Define your company's SAML settings:
Descriptions the SAML settings:
Option | Description |
Allow Graphite Password Login | If set to Yes, users can authenticate with SSO or a password |
Automatically provision users | If set to Yes, Graphite will create user accounts for users the first time they authenticate via SSO. They will receive a very basic set of permissions. |
Include domain in callback URL | If set to Yes, Graphite will require the primary domain in the SAML attribute assertion service URL. This allows customers to use NameIDs other than a user’s email address. This should typically be set to Yes. |
Disable Authn Context (for ActiveDirectory) |
This disables Authn validation which is often necessary for ActiveDirectory and Azure identity providers. |
NameID Format | Can usually be left unset or set to Unspecified. Email will require that an email address be used as the NameID. |
Logout Redirect URL | If set, users will be redirected to this URL when they log out of Graphite, rather than the Graphite login page. |
SAML Settings
Once the SAML app is configured in the Identity Provider you can generate the Identity Provider Metadata. These are the fields that Graphite needs from this file:
- Entity ID
- Goes in the Identity Provider Issuer field in Graphite
- Single Sign-on Service URL
- Goes in the Identity Provider URL field in Graphite
- X509 Certificate
- Goes in the Identity Provider Certificate in Graphite
If your customer wants to Bookmark Graphite Connect on their internet browser, this URL link will take them directly to their company's SSO page:
Once fully set up, the direct URL link to your company's single-sign-on page to Graphite Connect is https://app.graphiteconnect.com/api/users/auth/realm/YOUR_DOMAIN_HERE.com
(Note: NEVER use this link in the set up Okta, Azure, etc. management settings pages!)