Docs
Launch GraphOS Studio

Setting up Apollo SSO with Okta


⚠️ Single sign-on (SSO) is available only for Enterprise plans. Unlike most Enterprise features, this feature is not available as part of an Enterprise trial.

This guide walks through configuring Okta as your Apollo organization's identity provider (IdP) for single sign-on (SSO). You can use Okta's official GraphOS integration (recommended) or create a custom SAML integration (legacy). Both methods require an Okta account with administrator privileges.

Once you've set up your integration, you need to assign users to it in Okta so they can access Studio via the Sign in with SSO button on the GraphOS Studio login page.

Using Okta's official Apollo GraphOS integration

Supported features

The Okta Apollo GraphOS SAML integration currently supports the following features:

An SP-initiated flow occurs when an end user signs in to an application directly from that application's sign-in page. For example, https://studio.apollographql.com/login is the sign-in location for Studio. The integration supports users signing in from this page using SSO.

You can use Okta's Bookmark App integration to simulate an Identity Provider-initiated (IdP-initiated) flow to allow users to sign in from Okta.

Configuration

  1. From your Okta Administrator Dashboard, open the Applications view from the left menu. Click Browse App Catalog.

    Okta Application screen
  2. Search for "Apollo ." When “Apollo GraphOS Enterprise” appears, click + Add integration.

  3. In the General Settings tab that opens, select Do not display application icon to users. (You'll set up a Bookmark App instead.) You can optionally change the Application label or keep the default "Apollo Enterprise" label. Click Done.

    GraphOS Studio Okta integration general settings
  4. The Assignments tab opens—you'll return to it later to assign users to the integration. For now, open the Sign On tab and copy the Metadata URL under Metadata details.

GraphOS Studio Okta integration sign on settings
  1. Send the following information to your Apollo contact:
  • Metadata URL you copied in the last step
  • Email address you use to log in to Studio
    • The member associated with this email address will need an org admin role. You can begin SSO setup without it, but Apollo will update the role, if necessary, to complete setup.

Your Apollo contact will let you know once SSO setup is complete.

Using a custom integration

Before the official Okta integration, you needed to create a custom integration to configure SSO. Now that an integration exists, we don't recommend creating a custom one. You can refer to the instructions below if you need them for a previously-created custom integration.

Assign users in Okta

Whether you're using the official Okta integration or creating your own, you need to assign users to it so they can access . You can assign individual users or groups by following these steps:

  1. From your Okta Administrator Dashboard, open the Applications view from the left menu and open the Apollo integration. Then, click the Assignments tab.

    GraphOS Studio Okta integration assignment settings
  2. Click the Assign drop-down and then Assign to People or Assign to Groups.

  3. Click Assign on the right of the people or group(s) you want to have access to your Studio Org. Click Done.

    GraphOS Studio Okta integration assignment settings

Repeat these steps whenever you want to grant Studio access to a new user or group. Okta displays every user and group you've assigned to the integration in the Assignments tab.

Add Apollo GraphOS as a Bookmark App

Since both official and custom Okta integrations only supports an SP-initiated flow, we strongly recommend hiding the application in the Okta catalog for users and instead adding Apollo as a Bookmark App. Bookmark Apps allow your users to correctly launch the application from the Okta catalog.

To do so, follow Okta's instructions with the following Bookmark Application configurations:

  • Application label: Apollo Enterprise
  • URL: https://studio.apollographql.com/login
Previous
Audit log
Next
Azure AD
Edit on GitHubEditForumsDiscord