GraphOS SSO Migration Guide

Learn who needs to migrate, what's changing, and how to migrate

As of August 2024, GraphOS has a new self-service single sign-on (SSO) system. Enterprise organizations that set up their SSO with the legacy implementation must migrate before November 15, 2024. After that date, the legacy implementation will no longer work, and your organization will lose access to GraphOS.

What's changing?

In April 2024, Apollo introduced a new SSO system directly integrated into the GraphOS authentication service, eliminating the need for a third-party dependency (PingOne). With this new implementation, you no longer need to perform the annual certification rotations that PingOne requires.

In August 2024, Apollo introduced a self-service migration mechanism for legacy Enterprise customers to transition to the new system without needing to contact Apollo support. Migrating customers are always welcome to reach out to support@apollographql.com in case of questions.

In October 2024, new Enterprise customers will have access to the self-service system.

Who needs to migrate?

If your organization implemented SSO before April 2024, you must migrate.

ⓘ note

If your organization implemented SSO after April 2024, but before the availability of self-service setup, you don't need to migrate.

To confirm if you need to migrate, visit GraphOS Studio and check for an SSO migration banner.

If you aren't sure whether you need to migrate, please reach out to your Apollo contact.

How to migrate

A GraphOS Org Admin must create a new SSO configuration. You can create a new configuration while the legacy configuration continues to provide SSO for your organization.

The GraphOS setup wizard takes you through the configuration process, step-by-step. The wizard won't let you enable your new configuration until it has confirmed that you're able to sign in with the configuration.

SSO Setup Wizard showing the verification step in GraphOS Studio

Once the new configuration is verified and enabled, you should remove any legacy configurations from your identity provider (IdP).

For detailed implementation steps, see the instructions for your IdP:

SAML-based

Okta
Microsoft Entra ID (formerly known as Azure Active Directory)
Generic SAML

OIDC-based

Okta
Microsoft Entra ID (formerly known as Azure Active Directory)
Generic OIDC

Don't hesitate to email support@apollographql.com if you have any questions or need assistance.

Contracts

SAML

OIDC

Contracts

SAML

OIDC

AWS Lattice

Subscription Support

Log Exporters

Metrics Exporters