GraphOS SSO Migration Guide
Learn who needs to migrate, what's changing, and how to migrate
As of August 2024, GraphOS has a new self-service single sign-on (SSO) system. Enterprise organizations that set up their SSO with the legacy implementation must migrate before November 15, 2024. After that date, the legacy implementation will no longer work, and your organization will lose access to GraphOS.
What's changing?
In April 2024, Apollo introduced a new SSO system directly integrated into the GraphOS authentication service, eliminating the need for a third-party dependency (PingOne). With this new implementation, you no longer need to perform the annual certification rotations that PingOne requires.
In August 2024, Apollo introduced a self-service migration mechanism for legacy Enterprise customers to transition to the new system without needing to contact Apollo support. Migrating customers are always welcome to reach out to support@apollographql.com in case of questions.
In October 2024, new Enterprise customers will have access to the self-service system.
Who needs to migrate?
If your organization implemented SSO before April 2024, you must migrate.
To confirm if you need to migrate, visit GraphOS Studio and check for an SSO migration banner.
If you aren't sure whether you need to migrate, please reach out to your Apollo contact.
How to migrate
A GraphOS Org Admin must create a new SSO configuration. You can create a new configuration while the legacy configuration continues to provide SSO for your organization.
The GraphOS setup wizard takes you through the configuration process, step-by-step. The wizard won't let you enable your new configuration until it has confirmed that you're able to sign in with the configuration.
Once the new configuration is verified and enabled, you should remove any legacy configurations from your identity provider (IdP).
For detailed implementation steps, see the instructions for your IdP:
SAML-based
Microsoft Entra ID (formerly known as Azure Active Directory)
OIDC-based
Microsoft Entra ID (formerly known as Azure Active Directory)
Don't hesitate to email support@apollographql.com if you have any questions or need assistance.