Self-Service OIDC SSO with Microsoft Entra ID (formerly Azure AD)

Configure Entra ID as your GraphOS organization's identity provider

Self-service single sign-on (SSO) is only available for organizations with Dedicated and Enterprise plans who previously set up their SSO using PingOne and need to migrate. If you're unsure if you need to migrate please see the Migration Guide. If you are setting up SSO for the first time, please refer to these instructions.

This guide walks through configuring Microsoft Entra ID (formerly known as Azure Active Directory) as your GraphOS organization's identity provider (IdP) for OIDC-based SSO.

ⓘ NOTE

For organizations using SSO, access to GraphOS is exclusively managed through your IdP. Any invitation links created before SSO setup will be automatically revoked and you won't be able to create new invitation links once SSO is enabled. To give team members access, assign them to the GraphOS application in your IdP.

Migration notes

⚠️ CAUTION

If your organization's SSO was set up before April 2024, you must create a new SSO configuration with the updated instructions before November 15, 2024. After November 15, 2024, the legacy configuration will no longer work, and your organization will lose access to GraphOS if you haven't created a new configuration.

To migrate from a legacy configuration, a GraphOS Org Admin must create a new SSO configuration. You can create a new configuration while the legacy configuration continues to provide SSO for your organization.

The GraphOS setup wizard takes you through the configuration process, step-by-step. It won't let you activate your new configuration until it has confirmed that you're able to sign in with it.

SSO Setup Wizard showing the verification step in GraphOS Studio

Once the new configuration is verified and active, you should remove any legacy configurations from your IdP.

Prerequisites

Setup requires:

A GraphOS user account with the Org Admin role
- Check the Members tab in GraphOS Studio to see your role and which team members are org admins
Administrative access to your IdP

Setup

OIDC-based SSO setup has these steps:

Enter your SSO details in GraphOS Studio.
Create a custom Entra ID enterprise application for GraphOS.
Verify and configure OIDC details.
Verify your SSO configuration works.
Enable SSO in GraphOS Studio.

The SSO setup wizard in GraphOS Studio guides you through these steps.

Step 1. Enter your SSO details

Go to GraphOS Studio. Open the Settings page from the top navigation. Open the Security tab from the left sidebar and click Migrate SSO. A setup wizard appears.
Enter the Email domain(s) you are setting SSO up for. Click Continue.
Select OIDC as the SSO type. Click Continue.

Step 2. Create an Entra ID app registration

Once you reach Step 2: Configure Your IdP in the wizard, go to your Microsoft Entra admin center. Alternatively, you can sign in to the Azure Portal and then go to Microsoft Entra ID.
In Entra, go to Identity > Applications > App registrations. If accessing Entra from the Azure Portal, go to Manage > App registrations. Select +New registration in the top menu.
On the Register an application page, provide the following information:
- Enter a descriptive name for your application, such as Apollo GraphOS.
- Under Supported account types, select which Microsoft account types should have access to GraphOS.
- For Redirect URI, select Web and enter the redirect URI provided by the setup wizard.
Click Register.
From the Overview section of your newly created app registration, copy and paste your Application (client) ID into the Client ID field in the setup wizard.
Next to Client credentials, click Add a certificate or secret and create a new secret.
Copy and paste the secret's Value into the Client Secret field in the setup wizard.
Back in the Overview section, select Endpoints from the top menu.
Copy and open the OpenID Connect metadata document URL in a new browser tab. Find the issuer value. It should be formatted like https://login.microsoftonline.com/unique-value/vx.x. Copy and paste this URL into the Issuer field in the setup wizard.
Click Continue.

Step 3. Configure API permissions

From the API permissions section of your app registration, check whether User.Read is listed by default. If it isn't, add it manually:
1. Select + Add a permission > Microsoft Graph > Application permissions.
2. Search for User, expand, and select User.Read.All. Click Add permissions.
3. Save your changes.
Also from the API Permissions section, select Grant admin consent for Default Directory next to the + Add a permission button. Doing this ensures that your users don't need to grant consent during SSO.
From the Manifest section of your app registration, find the groupMembershipClaims property. Change its value from null to either "All" or "SecurityGroup". These values ensure that the access token includes the group membership claim during SSO.
Save your changes.

Step 4. Verify SSO Configuration

To verify that your SSO configuration works, click Login with new SSO in the GraphOS Studio wizard. This button launches a new login session in a new browser tab. Once you successfully login using your new configuration, click Next.

Step 5. Enable SSO

In the setup wizard, click the Complete button to finalize setup.

Once you click Complete, all users will be logged out of your organization, and will need to sign in again from https://studio.apollographql.com/login using SSO. To give them access, ensure you've assigned them to your new app registration in Entra ID.

Once you've confirmed the new configuration works as expected, remove any legacy Apollo applications in Entra ID if you have them.

Assign users in Entra ID

Once you've set up your Apollo GraphOS application in Entra ID, you need to assign users to it so they can access GraphOS. You can assign individual users or groups from the User and groups page of your Apollo GraphOS application in Entra ID.

You may want to begin by adding yourself individually and then testing SSO by clicking Test at the bottom of the Single sign-on page.

Once you've successfully tested your own user's ability to use SSO, add any applicable users or groups. Repeat these steps whenever you want to grant GraphOS Studio access to a new user or group.

Legacy setup

ⓘ NOTE

The below instructions are provided for reference only. Beginning in April 2024, Apollo recommends that all organizations use the updated instructions to create a new SSO connection.

To use multi-organization SSO, your SSO connection cannot use PingOne as shown in the legacy instructions below. Follow the updated instructions to create a new SSO connection.

ⓘ NOTE

These steps use PingOne's email invite method, because in some cases Apollo's legacy entity ID (PingConnect) might already be used by another application in your organization.

1. Create an Azure AD app registration

Go to your Azure Portal and then navigate to Azure Active Directory.
In the left pane, select App Registrations. Then in the top ribbon click + New Registration.
On the Register an application page, provide the following information:
- Provide a friendly name for the PingOne client (such as Apollo GraphOS or PingOneConnect).
- Under Supported account types, select which Microsoft account types will have access.
- Leave Redirect URI empty. You'll provide this information later.
Then click Register.

2. Retrieve your endpoint URL and client ID

From the Overview section of your newly created app registration, copy and paste your Application (client) ID into a local text file.
Still in the Overview section, select Endpoints from the top menu.
Copy and paste the OpenID Connect metadata document URL into the same local text file:

3. Create a client secret

From the Certificates & secrets section of your app registration, click + New client secret and create a new secret.
Copy and paste the secret's Value field to the same text file you created earlier:

4. Configure API permissions

From the API permissions section of your app registration, check whether User.Read is listed by default. If isn't, add it manually:
1. Select + Add a permission > Microsoft Graph > Application permissions.
2. Search for Group, expand, and select Group.Read.All.
3. Save your changes.
4. If User.Read was not auto created, repeat this process for User.Read.
Also from the API Permissions section, select Grant admin consent next to the + Add a permission button. This ensures your users don't need to grant consent during SSO.
From the Manifest section of your app registration, find the groupMembershipClaims property. Change its value from null to either All or SecurityGroup.
- These values ensure that the group membership claim is included in the access token during SSO.
Save your changes.

5. Integrate PingOne with Azure AD

After you receive your PingOne SSO invitation email, click the enrollment link to create a new account or sign in with an existing account.
On the landing page, click Setup on the top ribbon.
Select Connect to an Identity Repository > Microsoft Azure AD and click Next.
From the Configure Your Microsoft Azure Connection modal:
1. Copy and paste the endpoint URL, client ID, and client secret values saved earlier from Azure AD.
2. Select Verify. PingOne will verify that it can query the endpoint(s) you've specified.
3. For Scope, select the OAuth scopes to include in authentication requests.
4. Click Next.
In Step 2 of the wizard, copy the PingOne Redirect URI and paste it on the Azure AD app registration.
- Redirect URIs can be configured from the Overview section of your app registration under the Essentials menu in Azure AD.
- Select Redirect URIs > Add a platform > Web and enter the Redirect URI you copied from PingOne. Select Configure to save changes.
- Back on the PingOne configuration wizard, select Next after copying and pasting the URI.
In Step 3 of the wizard, configure the Map Attributes section by mapping the incoming attributes or claims from Azure AD to PingOne. You can leave this with the default Attribute Mapping.
In Step 4 of the wizard, choose whether or not to synchronize your user groups from Azure AD to your PingOne user groups.
- The permissions User.Read and Group.Read.All are required for synchronization to be successful.
- Any PingOne user groups that do not exist in your Azure provider will be replaced by the Azure groups.
- Each of your Azure group members are automatically added to the corresponding PingOne groups when the user initially signs on (SSO) to PingOne. This is PingOne's just-in-time user provisioning.
Click Save to finish connecting Azure AD to PingOne.

6. Configure the OIDC application

After you successfully configure the identity bridge between Azure AD and PingOne, you need to configure and enable Apollo as an OIDC application. The configuration for this application should already be initialized, and you can access it via the Complete your Application Configuration reminder under Applications in the PingOne admin console.

Select Meteor Development Group - GraphOS Studio under Complete your Application Configuration.
ⓘ NOTE
If the Add OIDC Application wizard doesn't automatically pop-up, select the SAML tab and then select the OIDC tab.
In Step 1 of the Add OIDC Application wizard, configure the application name, description, category, and icon (optional).
Click Next for Steps 2-5 (these are configured by default).
In Step 6 of the wizard (Attribute Mapping), you must map email to email and sub to preferred_username. You can optionally map more attributes for given name, family name, and others.
In Step 7 of the wizard (Group Access), select whichever groups should receive SSO access to Apollo.
Click Done to complete the configuration.

7. Notify Apollo

After you complete the steps above, reach out to your Apollo contact. They will complete your SSO setup.

Okta

Generic OIDC Setup