SAML Authentication
Hosted Graphite supports Single Sign On (SSO) via SAML-enabled identity providers. This allows users to login to our service using their existing organisation credentials. A SAML integration is set up on the team’s primary Hosted Graphite account, and any subsequent user signups via SAML will be added to this account as team members.
Note: SAML Authentication can only be enabled for Small accounts and above.
SAML Setup
Identity providers require SAML account metadata from Hosted Graphite in order to set up a SAML integration. This is information is available from the SAML setup page, including:
-
Entity ID URL: https://CLUSTER.hostedgraphite.com/metadata/YOUR-USER-ID/
-
Assertion Consumer URL: https://CLUSTER.hostedgraphite.com/complete/saml/YOUR-USER-ID/
-
Connection Type: IdP Initiated via IdP portal or SP Initiated via /login/saml/YOUR-USER-ID/
-
XML Metadata: Available by accessing the Entity ID URL above while logged in.
-
NameID Format: Email address.
-
Hosted Graphite can integrate with providers that support the SAML 2.0 specification. Example steps for connecting with some supported identity providers are listed below.
Azure Active Directory
Create a Hosted Graphite integration with Azure AD
- Login to the Azure AD portal, select your directory, then go to Applications and Add.
- Click Add an application from the gallery then search for and select Hosted Graphite.
- Open the Hosted Graphite application integration page, click Configure single sign-on and then select Azure AD Single Sign-On.
- Enter Identifier:
https://CLUSTER.hostedgraphite.com/metadata/YOUR-USER-ID/
- Enter Reply URL:
https://CLUSTER.hostedgraphite.com/complete/saml/YOUR-USER-ID/
- The final configuration screen shows the values required for the next step. Download your certificate from this page.
Adding Azure AD provider details to Hosted Graphite
- Go to the SAML setup page to enter details from the configuration screen of the Azure AD App.
- In the Entity ID field, enter your Issuer URL.
- In the SSO Login URL field, enter your SAML SSO URL.
- In the Certificate text box, enter the contents of the certificate file you downloaded.
- Select a default user role for new team members.
- Click Save.
This information is also available in the Azure documentation.
Okta
Create a Hosted Graphite integration with Okta
- Login to the Okta portal, go to Admin and then Applications and click Add Application.
- Search for Hosted Graphite and select the SAML enabled app.
- In General Settings, enter your HG User ID. This can be found on the SAML Setup page.
- Click Next.
- Assign the application to people on your team, and click Next.
- Confirm any additional information for each user and click Done when finished.
- Go to the Sign On tab and select View Setup Instructions to show the information required in the next step.
Adding Okta provider details to Hosted Graphite
- Navigate to the SAML setup page.
- Enter the details from Setup Instructions part of the HG Okta App.
- Select a default user role for new team members.
- Click Save.
This information is also available in the Okta documentation.
OneLogin
Create a Hosted Graphite integration with OneLogin
- Login to the OneLogin portal, go to Apps and then Add Apps.
- Search for Hosted Graphite and select the SAML enabled app.
- Click Save to add the app to your Company Apps and display additional configuration tabs.
- In the Configuration tab, enter your HG User ID. This can be found on the SAML Setup page.
- Click Save.
- Go to the SSO tab to view the values that you’ll copy into your Hosted Graphite account.
Adding OneLogin provider details to Hosted Graphite
- Go to the SAML setup page to enter the details from the SSO section of your OneLogin App.
- In the Entity ID field, enter your SAML Issuer URL.
- In the SSO Login URL field, enter your SAML Endpoint HTTP URL.
- In the Certificate text box, enter your X.509 Certificate.
- Select a default user role for new team members.
- Click Save.
Ping Identity
Create a Hosted Graphite integration with Ping Identity
- Login to the PingOne portal, go to Applications, click Add Application then Search Application Catalog.
- Search for Hosted Graphite and select the SAML app and click Setup.
- Download the Certificate to enter into Hosted Graphite later, and click Continue to Next Step.
- Enter ACS URL https://CLUSTER.hostedgraphite.com/complete/saml/YOUR-USER-ID/
- Enter Entity ID https://CLUSTER.hostedgraphite.com/metadata/YOUR-USER-ID/
- Select Continue to Next Step twice and then Save and Publish.
Adding Ping Identity provider details to Hosted Graphite
- In PingOne, go to Applications and select the app you just created.
- In the Configuration section, Issuer is your Entity ID.
- Your IDP ID used below is the last parameter of the Initiate Single Sign-on URL.
- In https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=${idpid} replace ${idpid} with your IDP ID. This is your SSO Login URL.
- Open the certificate file downloaded earlier with a text editor. This is your Certificate.
- Go to the SAML setup page and enter your Entity ID, SSO Login URL and Certificate.
- Select a default user role for new team members.
- Click Save.
Salesforce
Create a Hosted Graphite integration with Salesforce
- Login to Salesforce, go to Settings and search for “Identity Provider”.
- Set Identity Provider to enabled, and go to Connected Apps.
- Create a new connected app, enter a Name and Email.
- Enter Entity ID https://wwCLUSTERw.hostedgraphite.com/metadata/YOUR-USER-ID/
- Enter ACS URL https://CLUSTER.hostedgraphite.com/complete/saml/YOUR-USER-ID/
- Set NameID format to emailAddress.
- Click Save.
Adding Salesforce provider details to Hosted Graphite
- In Salesforce, go to Manage Connected Apps from Settings and open the app you just created.
- Under SAML Service Provider Settings, Issuer is your Entity ID.
- Under SAML Login Information, SP-Initiated Redirect Endpoint is your SSO Login URL.
- Under SAML Service Provider Settings, click the name of your certificate and then Download Certificate.
- Go to our SAML setup page and enter your Entity ID, SSO Login URL and Certificate.
- Select a default user role for new team members.
- Click Save.
Auth0
Create a Hosted Graphite integration with Auth0
- Login to Auth0, select Add New Application and Single Page Web App.
- Go to Addons and select SAML2 Web App.
- Enter Application Callback URL https://CLUSTER.hostedgraphite.com/complete/saml/YOUR-USER-ID/
- Replace the Settings JSON field with the content below:
{
"audience": "https://CLUSTER.hostedgraphite.com/metadata/YOUR-USER-ID/",
"nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"nameIdentifierProbes": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
]
}
- Click Save.
Adding Auth0 provider details to Hosted Graphite
- Go to Addons section of the new Auth0 App and select SAML2 Web App.
- Under the Usage tab, Issuer is your Entity ID.
- Identity Provider Login URL is your SSO Login URL.
- Identity Provider Certificate is your Certificate.
- Go to the SAML setup page and enter your Entity ID, SSO Login URL and Certificate.
- Select a default user role for new team members.
- Click Save.
Notes
- The team’s primary Hosted Graphite account will continue to log in without SAML. This cannot currently be changed.
- Existing users cannot be signed in via SAML. Please get in touch with support if you would like that changed.
- New users must signup via the single-signon url provided in the 3rd party provider and not via the Hosted Graphite user interface. This is especially important for Azure SAML login.