Join us from October 8-10 in New York City to learn the latest tips, trends, and news about GraphQL federation and API platform engineering.Join us for GraphQL Summit 2024 in NYC
Docs
Start for Free

Multi-organization SSO

Switch between organizations in GraphOS Studio without needing to reauthenticate


Single sign-on (SSO) is available only for Dedicated and Enterprise plans. This feature is not available as part of an Enterprise trial.

This feature is in invite-only preview. Please get in touch with your Apollo contact if you'd like to request access.

Different organizations can share the same identity provider (IdP) and SSO so members can switch between organizations in without needing to reauthenticate.

Prerequisites

For multi-organization SSO, each organization needs to individually configure SSO according to the latest instructions (as of April 2024) for their particular IdP:

Switching between organizations

You can switch between any organizations you have access to by clicking the organization name in the top left of GraphOS Studio. For an organization to appear in your organization list, you must first log into that organization.

Logging in to a multi-org SSO organization

To authenticate access to an organization with a shared SSO configuration, you must first log in to it using one of these identity provider (IdP) initiated methods:

  • Via IdP application portal (recommended)
  • Via IdP-generated link
  • Via Apollo-generated link

NOTE

When this feature reaches GA, it will also support login via service-provider-initiated (SP-initiated) SSO.

Log in via IdP application portal

💡 TIP

Apollo recommends application portals as the most direct way for organization members to authenticate access.

Many IdPs provide a user-facing page where you can see which applications you are assigned to. Different GraphOS organizations appear as separate applications, and you can log in to each one by clicking the organization tile.

Okta application portal

For example, the screenshot above shows separate application tiles for Apollo GraphOS (Organization 1) and Apollo GraphOS (Organization 2).

Many IdPs provide a method to generate login links. These can be provided directly to team members or stored in an internal wiki or document for easy access. Login link creation often requires admin permissions in an IdP. Consult your IdP's documentation for instructions.

Apollo can also generate login links on request. Get in touch with your Apollo contact to request an Apollo-generated link. Be sure to include the organization(s) you want the link(s) for.

Preview limitations

While this feature is in preview, members can only log in with IdP-initiated SSO. Therefore, during preview, all members of an organization with multi-organization SSO must log in from their IdP. If they try to log in on studio.apollographql.com/login, they will receive an error message directing them to log in via IdP.

Previous
Generic OIDC Setup
Rate articleRateEdit on GitHubEditForumsDiscord

© 2024 Apollo Graph Inc.

Privacy Policy

Company