# Graphistry SSO Configuration Guide ## Overview Graphistry Enterprise Server supports Single Sign-On (SSO) through [OIDC (OpenID Connect)](https://openid.net/connect/) providers such as **Okta**, **Entra**, **Auth0** and others. Options for SSO auth include **site-wide** for all site users or **per organization**, depending on your multi-tenancy needs. This guide walks you through configuring SSO in Graphistry. --- ## Prerequisites Before setting up SSO: * Deploy Graphistry Enterprise Server (self-hosted or cloud) * Ensure TLS is configured properly (especially when using external proxies or load balancers) --- ## Configuration Paths SSO setup can be done **site-wide** or at the **org-level** ### 1. Site-wide SSO Note: Graphistry Hub users are not able to configure Site-wide SSO, see the Organization-specific config below. 1. Click the admin user drop-down menu and select **Manage site-wide SSO** * (Recommended) Disable traditional account creation * (Recommended) Set up outgoing email (for invites and notifications) ### 2. Organization-specific SSO Note: Graphistry Hub users are required to have paid Organization account. [Sign up for an Organization account on graphistry hub](https://hub.graphistry.com/users/stripe/select_org/team-annually/). 1. After login to your graphistry account, click the "Manage organization" button.

2. Click the "+" button to add a new organization.

3. Fill the information for the organization and click the create button, the "Organization ID" is unique.

4. Click the orange button, which is "configure SSO" button.

5. Click the "+" button to add new SSO providers.

6. Fill the IDP Name, Host URL, Client ID and select the SSO provider.

7. Example for Okta, "Client ID" and "Host URL" can found in [“Client ID”, and “Okta domain”](#okta_1_1_7) respectively.

8. The SSO Provider for the organization was shown. Remember to setup the Sign-in redirect URIs in [picture](#okta_1_1_5), fill it with `http://{hostname}/o/{organization_id}/sso/oidc/{idp_name}/login/callback`.

# Configure the identity provider (OIDC details) --- ## Identity Provider (IdP) Setup Graphistry supports **OIDC-compliant providers**. Setup generally includes: - Refer to your IdP's documentation for creating OIDC apps and obtaining credentials. - Choosing the correct SSO IdP template - Create a name for IdP connection - Set the IdP Hostname and Client ID (Note: some providers may require additional fields) - Testing the SSO connection ## Select an IdP and follow the steps to configure the SSO connection: 1. [OKTA SETUP](#OKTA-SETUP) 1. [OKTA OIDC SETUP](#okta-oidc-setup) 2. [OKTA PEOPLE SETUP](#okta-people-setup) 3. [OKTA GROUP SETUP](#okta-group-setup) 2. [AUTH0 SETUP](#auth0-setup) 1. [AUTH0 OIDC SETUP](#auth0-oidc-setup) 2. [AUTH0 USER SETUP](#auth0-user-setup) 3. [AUTH0 ORGANIZATION SETUP](#auth0-organization) 3. [KEYCLOAK SETUP](#keycloak-setup-no-pkce) 1. [KEYCLOAK OIDC SERVER SETUP](#keycloak-setup-no-pkce) 2. [KEYCLOAK USER SETUP](#keycloak-user-setup) 4. [MICROSOFT ENTRA SETUP](#microsoft-entra-setup) 1. [ENTRA CONFIGURE SSO](#entra-configure-sso) 5. [MICROSOFT ADFS SETUP](#microsoft-adfs-setup) 1. [ADFS CONFIGURE SSO](#adfs-configure-sso) 6. [GRAPHISTRY SETUP](#graphistry-setup) 1. [ORGANIZATION CONFIGURE SSO ](#organization-configure-sso)

## OKTA SETUP ### OKTA OIDC SETUP 1. After logging in your OKTA account, if it shows this page, click admin button.

2. Go to the application page and click “Create App Integration” to create a new application.

3. Select “OIDC - OpenID Connect” in the Sign-in method section and “Single-Page Application” at the Application Type section.

4. Change the application name as you like and you can upload a logo for this application.

5. Change the sign-in redirect url using the following format. Change the field in brackets to relevant fields. For example, this is an example of a URL used in development, `http://localhost:8000/o/{organization_id}/sso/oidc/{idp_name}/login/callback` If you are using Site-wide SSO, the format would be: `http://localhost:8000/g/sso/oidc/{idp_name}/login/callback`

6. Choose “Skip group assignment for now” and save the changes. We will assign the user/group later.

7. Record the field named “Client ID”, and “Okta domain”. Using these fields allows you to register an Organization SSO ID Provider in Graphistry.

8. Assign persons to application.

9. Click “Assign” on the line of the person you want to assign the application.

10. Click “Assign” on the line of the group you want to assign the application. If assigned by group, all people in the group can login to this application.

### OKTA PEOPLE SETUP 1. Add a new person.

2. Fill in the relevant fields. If the Activation is set to "Activate later", users will receive an email to set their password and activate the account.

3. If the Activation is set to "Activate now", it will show some options for setting the password. If the "I will set password" option is ticked, you can enter a temporary password and specify if the user changes their password after initial login.

### OKTA GROUP SETUP 1. Create a new Group.

2. Give a name to the group. Optionally, you can add a description.

3. Click the group name you created to manage the group.

4. Click "Assign people" to add a person to the group. You can also remove user from group by clicking "remove".

## AUTH0 SETUP ### AUTH0 OIDC SETUP 1. After signing an account for Auth0, select “Company” as the account type so you can restrict who can log in to this organization. Fill in the company's name and select size for company.

2. You can change the domain name and country. Changing the country will change the host url.

3. Click the “Application” in the Application section to go to the application page. Under the application panel, click “Create Application” to create a new application.

4. Name your application and select “Single Page Web Applications”.

5. Go to “Settings” to get “Domain”, “Client ID” and “Client Secret”. We have to use these fields to register an Organization SSO ID Provider in Graphistry.

6. Change the sign-in redirect url using the following format. Change the field in brackets to relevant fields. For example, this is an example of a URL used in development, `http://localhost:8000/o/admin/sso/oidc/test_admin/login/callback/` If you are using Site-wide SSO, the format would be: `http://localhost:8000/g/sso/oidc/Site_wide_SSO_Provider/login/callback/`

7. Save changes after completing add callback urls.
8. Disable grants to use organization function.

9. Change the Organization setting to “Team members of organizations” and click “Save Changes“.

### AUTH0 USER SETUP 1. Go to ”User Management” and select the user to go to the user page. Click “Create User” to create a new user.

2. Fill in all of the fields and click “Create” to create a new user.

### AUTH0 ORGANIZATION 1. Go to “Organizations” and click “Create Organization” to create a new organization.

2. Name your organization and set your displayed name.

3. Record your “Organization ID” which you'll need when you create your org sso id provider.

4. You can change these fields to adjust the UI of the login page. Make sure to save your changes.

5. Go to the “Member” session and click “Add Members” to add members to your organization.

6. After selecting the user you want to add, click “Add Member” to add them to the organization.

7. Go to "Connections" session and click "Enable Connections" to add connections to organization.

8. Select "Username-Password-Authentication" and click "Enable Connection".

## KEYCLOAK SETUP (No PKCE) ### KEYCLOAK OIDC SERVER SETUP 1. Login to the keycloak admin console. Default username is “admin” and password is “graphistry”.

2. Create a new realm for OIDC server. Move your mouse cursor to “Master” and the “add realm” button will show up.

3. Add a name to this realm. We will take this realm name as idp name when you create an OrgSSO object.

4. After realm creation success, go to the “clients” section and click “create” to create a new client for OIDC.

5. Fill in “client id” for and this client id is the Client ID you have to use when create OrgSSO object.

6. Change the “Access type” from public to confidential. Add valid Redirect URls to it. For example, `http://localhost/*` , the * means it will take anything after the host.

7. Go to “Credentials” to get the secret key.

### KEYCLOAK USER SETUP 1. Go to the “User” section and click “add user”.

2. Fill in the info when you create a user. Only username attribute is required. For the “Required User Actions” attribute, you can choose the action for the user to verify their email or update password for the first time they login.

3. Go to the “Credentials” section, create a password for this user so they can log in to this server. If you toggle on the “Temporary”, users have to update the password for the first time they login.

## MICROSOFT ENTRA SETUP ### ENTRA CONFIGURE SSO 1. Set it up as shown below.

2. Sign in with Entra SSO.

## MICROSOFT ADFS SETUP ### ADFS CONFIGURE SSO 1. Set it up as shown below.

2. Sign in with ADFS SSO.