Links

SAML Authentication

Hosted Graphite supports Single Sign On (SSO) via SAML-enabled identity providers. This allows users to login to our service using their existing organization credentials.
Contents
A SAML integration is set up on the team’s primary Hosted Graphite account, and any subsequent user signups via SAML will be added to this account as team members.
NOTE: SAML integration is included for all plans but must be enabled upon request. Please reach out to our support channel and we will enable this for you. Once enabled, you can locate the SAML Setup page from the Access menu.
Identity providers require SAML account metadata from Hosted Graphite in order to set up a SAML integration.
  • Entity ID URL: https://CLUSTER.hostedgraphite.com/metadata/YOUR-USER-ID/
  • Assertion Consumer URL: https://CLUSTER.hostedgraphite.com/complete/saml/YOUR-USER-ID/
  • Connection Type: IdP Initiated via IdP portal or SP Initiated via /login/saml/YOUR-USER-ID/
  • XML Metadata: Available by accessing the Entity ID URL above while logged in.
  • NameID Format: Email address.
  • SAML Version: 2.0
SAML Card
Hosted Graphite can integrate with providers that support the SAML 2.0 specification. Example steps for connecting with some supported identity providers are listed below.
Create a Hosted Graphite integration with Azure AD
  1. 1.
    Log in to the Azure AD portal, select your directory, then go to Applications and Add.
  2. 2.
    Click Add an application from the gallery then search for and select Hosted Graphite.
  3. 3.
    Open the Hosted Graphite application integration page, click Configure single sign-on, and then select Azure AD Single Sign-On.
  4. 4.
    Enter Identifier https://CLUSTER.hostedgraphite.com/metadata/YOUR-USER-ID/
  5. 5.
    Enter the Reply URL https://CLUSTER.hostedgraphite.com/complete/saml/YOUR-USER-ID/
  6. 6.
    The final configuration screen shows the values required for the next step. Download your certificate from this page.
Adding Azure AD provider details to Hosted Graphite
  1. 1.
    Navigate to the SAML Setup page to enter details from the configuration screen of the Azure AD App.
    • In the Entity ID field, enter your Issuer URL.
    • In the SSO Login URL field, enter your SAML SSO URL.
    • In the Certificate text box, enter the contents of the certificate file you downloaded.
  2. 2.
    Select a default user role for new team members.
  3. 3.
    Click Save.
This information is also available in the Azure documentation.

Okta

Create a Hosted Graphite integration with Okta
  1. 1.
    Login to the Okta portal, navigate to Admin, then Applications, and click Create App Integration.
  2. 2.
    Select the SAML 2.0 option, name the app (e.g. Hosted Graphite), and upload the HG icon.
  3. 3.
    In SAML Settings, enter the SSO URL (found in the HG app SAML Setup as: Assertion Consumer Service URL) and Audience URI (found in the HG app SAML Setup as: Entity or Issuer ID).
  4. 4.
    Then set the Name ID format as: EmailAddress, Application username as: Email.
  5. 5.
    In the Attribute Settings section, set Name as: email, Name Format as: Basic, and Value as: user.email, and click Next.
  6. 6.
    Click on View SAML Setup Instructions to display the information required in the following steps.
  7. 7.
    Now you can navigate your Okta directory and assign people or groups to the HG application. Confirm any additional information for each user and click Done when finished.
Adding Okta provider details to Hosted Graphite
  1. 1.
    Navigate to the SAML Setup page within your main Hosted Graphite application.
  2. 2.
    Enter the details from Step 6 into the relevant fields, set the default user permissions, and click Save.
  3. 3.
    Your team users should now be able to access the Hosted Graphite application through their Okta instance.
This information is also available in the Okta documentation.

OneLogin

Create a Hosted Graphite integration with OneLogin
  1. 1.
    Login to the OneLogin portal, go to Apps and then Add Apps.
  2. 2.
    Search for Hosted Graphite and select the SAML enabled app.
  3. 3.
    Click Save to add the app to your Company Apps and display additional configuration tabs.
  4. 4.
    In the Configuration tab, enter your HG User ID. This can be found on the SAML Setup page.
  5. 5.
    Click Save.
  6. 6.
    Go to the SSO tab to view the values you’ll copy into your Hosted Graphite account.
Adding OneLogin provider details to Hosted Graphite
  1. 1.
    Go to the SAML Setup page to enter the details from the SSO section of your OneLogin App.
    • In the Entity ID field, enter your SAML Issuer URL.
    • In the SSO Login URL field, enter your SAML Endpoint HTTP URL.
    • In the Certificate text box, enter your X.509 Certificate.
  2. 2.
    Select a default user role for new team members.
  3. 3.
    Click Save.
Create a Hosted Graphite integration with Ping Identity
  1. 1.
    Login to the PingOne portal, go to Applications, click Add Application then Search Application Catalog.
  2. 2.
    Search for Hosted Graphite and select the SAML app and click Setup.
  3. 3.
    Download the Certificate to enter into Hosted Graphite later, and click Continue to Next Step.
  4. 4.
    Enter ACS URL https://CLUSTER.hostedgraphite.com/complete/saml/YOUR-USER-ID/
  5. 5.
    Enter Entity ID https://CLUSTER.hostedgraphite.com/metadata/YOUR-USER-ID/
  6. 6.
    Select Continue to Next Step twice and then Save and Publish.
Adding Ping Identity provider details to Hosted Graphite
  1. 1.
    In PingOne, go to Applications and select the app you just created.
  2. 2.
    In the Configuration section, Issuer is your Entity ID.
  3. 3.
    Your IDP ID used below is the last parameter of the Initiate Single Sign-on URL.
  4. 4.
    In https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=${idpid} replace ${idpid} with your IDP ID. This is your SSO Login URL.
  5. 5.
    Open the certificate file downloaded earlier with a text editor. This is your Certificate.
  6. 6.
    Go to the SAML Setup page and enter your Entity ID, SSO Login URL, and Certificate.
  7. 7.
    Select a default user role for new team members.
  8. 8.
    Click Save.
Create a Hosted Graphite integration with Salesforce
  1. 1.
    Login to Salesforce, go to Settings, and search for “Identity Provider”.
  2. 2.
    Set Identity Provider to enabled, and go to Connected Apps.
  3. 3.
    Create a new connected app, and enter a Name and Email.
  4. 4.
    Enter Entity ID https://wwCLUSTERw.hostedgraphite.com/metadata/YOUR-USER-ID/
  5. 5.
    Enter ACS URL https://CLUSTER.hostedgraphite.com/complete/saml/YOUR-USER-ID/
  6. 6.
    Set NameID format to emailAddress.
  7. 7.
    Click Save.
Adding Salesforce provider details to Hosted Graphite
  1. 1.
    In Salesforce, go to Manage Connected Apps from Settings and open the app you just created.
  2. 2.
    Under SAML Service Provider Settings, Issuer is your Entity ID.
  3. 3.
    Under SAML Login Information, SP-Initiated Redirect Endpoint is your SSO Login URL.
  4. 4.
    Under SAML Service Provider Settings, click the name of your certificate and then Download Certificate.
  5. 5.
    Go to our SAML Setup page and enter your Entity ID, SSO Login URL, and Certificate.
  6. 6.
    Select a default user role for new team members.
  7. 7.
    Click Save.

Auth0

Create a Hosted Graphite integration with Auth0
  1. 1.
    Login to Auth0, select Add New Application and Single Page Web App.
  2. 2.
    Go to Addons and select SAML2 Web App.
  3. 3.
    Enter the Application Callback URL https://CLUSTER.hostedgraphite.com/complete/saml/YOUR-USER-ID/
  4. 4.
    Replace the Settings JSON field with the content below:
{
"audience": "https://CLUSTER.hostedgraphite.com/metadata/YOUR-USER-ID/",
"nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"nameIdentifierProbes": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
]
}
  1. 5.
    Click Save.
Adding Auth0 provider details to Hosted Graphite
  1. 1.
    Go to the Addons section of the new Auth0 App and select SAML2 Web App.
  2. 2.
    Under the Usage tab, Issuer is your Entity ID.
  3. 3.
    Identity Provider Login URL is your SSO Login URL.
  4. 4.
    Identity Provider Certificate is your Certificate.
  5. 5.
    Go to the SAML Setup page and enter your Entity ID, SSO Login URL, URL and Certificate.
  6. 6.
    Select a default user role for new team members.
  7. 7.
    Click Save.
Notes
  1. 1.
    The team’s primary Hosted Graphite account will continue to log in without SAML. This cannot currently be changed.
  2. 2.
    Existing users cannot be signed in via SAML. Please get in touch with support if you would like that changed.
  3. 3.
    New users must signup via the single-sign-on URL provided by the 3rd party provider, and not via the Hosted Graphite user interface. This is especially important for Azure SAML login.