Skip to main content
Version: 2.0

Single Sign on Configuration

The GraphGrid dashboard supports Single Sign On (SSO) using SAML 2.0. All testing has been done with Okta, and documentation will be tailored towards Okta, though other SAML 2.0 Identity Providers (IdPs) should work.


Before starting this process, please configure SSL for your installation. See here for more info.

Okta Setup

In your Okta admin console, start by creating a new SAML 2.0 integration. After filling in the app name, and optionally uploading a logo, you can enter the following SAML Settings. {{baseURL}} should be substituted with your domain name or IP address (including http/https) like

Single sign on URL{{baseURL}}/1.0/security/saml/SSO
Audience URI (SP Entity ID){{baseURL}}/1.0/security/saml/metadata
Default RelayState{{baseURL}}/login
Name ID formatEmailAddress
Application usernameOkta username

Under the Attribute Statements section, add the following attributes. The Name formats can be Unspecified.

Feel free to customize the applicationName attribute value, but remember to keep it consistent in future steps.

After customizing everything, go ahead and hit next, and follow the instructions from Okta until the app is created. Next, under the Sign On tab, find the "Identity Provider metadata" link. You will need this metadata URL in an upcoming step.


GraphGrid Setup

In order to use SSO, several configuration values need to be modified. See here for instructions on using the Config API to set configuration values. All values should be set for the docker environment (for a packaged deployment), under the security service, and with the appropriate version number for the branch (like 2.0.x). The base URL for your requests should be /1.0/config/updateConfigValue/security/docker/2.0.x. Remember to customize URLs to match your environment.

Please note that spring.okta.hostName should not have a leading http:// or https:// since that gets added using the value from Additionally, be aware of trailing slashes. During SAML verification, URLs must match up exactly. If you run into any errors, the security container logs can be quite helpful.

Parameter KeyParameter Value
spring.okta.passwordUse a secure randomly generated password

Once the configuration parameters have been set, restart the Security service.

It is important to keep spring.okta.password secret, since it will be assigned as a backup for all SSO accounts. If you need to test without SSL, set to http.

Finally, using an appropriate Org grn from the graph, and the metadata URL from Okta, create the SSO account integration. The GraphGrid security service will dynamically import all necessary SAML data from the metadata URL. You can optionally pass a redirectUrl property to redirect users after logout. Make sure applicationName matches up with what was entered into Okta under the Attribute Statements section.

curl --location --request POST "${API_BASE}/1.0/security/ssoaccount/new" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer ${BEARER_TOKEN}" \
--data-raw '{
"applicationName": "graphgrid",
"type": "okta",
"metadataUrl": "",
"orgGrn": "grn:gg:org:wFLbDOhkrl979rdc5mv5oc8l66oMzOx1fTfvWo2RpBzy"

You should now be able to assign the SAML application to users in Okta and have them authenticate. When they first authenticate, a User node will be created for them on the graph, and a corresponding user will be created in LDAP.