Multi-organization SSO
Switch between organizations in GraphOS Studio without needing to reauthenticate
Single sign-on (SSO) is available only for Dedicated and Enterprise plans. This feature is not available as part of an Enterprise trial.
This feature is in invite-only preview. Please get in touch with your Apollo contact if you'd like to request access.
Different GraphOS organizations can share the same identity provider (IdP) and SSO so members can switch between organizations in GraphOS Studio without needing to reauthenticate.
Prerequisites
For multi-organization SSO, each organization needs to individually configure SSO according to the latest instructions (as of April 2024) for their particular IdP:
- Okta (SAML-based)
- Microsoft Entra ID (formerly known as Azure Active Directory)
- Generic SAML
- Generic OIDC
Switching between organizations
You can switch between any organizations you have access to by clicking the organization name in the top left of GraphOS Studio. For an organization to appear in your organization list, you must first log into that organization.
Logging in to a multi-org SSO organization
To authenticate access to an organization with a shared SSO configuration, you must first log in to it using one of these identity provider (IdP) initiated methods:
- Via IdP application portal (recommended)
- Via IdP-generated link
- Via Apollo-generated link
ⓘ NOTE
When this feature reaches GA, it will also support login via service-provider-initiated (SP-initiated) SSO.
Log in via IdP application portal
💡 TIP
Apollo recommends application portals as the most direct way for organization members to authenticate access.
Many IdPs provide a user-facing page where you can see which applications you are assigned to. Different GraphOS organizations appear as separate applications, and you can log in to each one by clicking the organization tile.
For example, the screenshot above shows separate application tiles for Apollo GraphOS (Organization 1) and Apollo GraphOS (Organization 2).
Log in via an IdP-generated link
Many IdPs provide a method to generate login links—sometimes called "magic links." These can be provided directly to team members or stored in an internal wiki or document for easy access. Login link creation often requires admin permissions in an IdP. Consult your IdP's documentation for instructions.
Log in via an Apollo-generated link
Apollo can also generate login links on request. Get in touch with your Apollo contact to request a magic link. Be sure to include the organization(s) you want the link(s) for.
Preview limitations
While this feature is in preview, members can only log in with IdP-initiated SSO. Therefore, during preview, all members of an organization with multi-organization SSO must log in from their IdP. If they try to log in on studio.apollographql.com/login
, they will receive an error message directing them to log in via IdP.