# SAML Authentication

Contents

* [SAML Authentication](https://docs.hostedgraphite.com/account-management/saml-authentication)
  * [SAML Setup](#saml-setup)
  * [Azure Active Directory](#azure-active-directory)
  * [Okta](#okta)
  * [OneLogin](#onelogin)
  * [Ping Identity](#ping-identity)
  * [Salesforce](#salesforce)
  * [Auth0](#auth0)

A SAML integration is set up on the team’s primary Hosted Graphite account, and any subsequent user signups via SAML will be added to this account as team members.

**NOTE:** SAML integration is included for all plans but must be enabled upon request. Please reach out to our [support](mailto:support%40hostedgraphite.com) channel and we will enable this for you. Once enabled, you can locate the SAML Setup page from the Access menu.

### [SAML Setup](#saml-setup)

Identity providers require SAML account metadata from Hosted Graphite in order to set up a SAML integration.

* Entity ID URL: `https://CLUSTER.hostedgraphite.com/metadata/YOUR-USER-ID/`
* Assertion Consumer URL: `https://CLUSTER.hostedgraphite.com/complete/saml/YOUR-USER-ID/`
* Connection Type: IdP Initiated via *IdP portal* or SP Initiated via `/login/saml/YOUR-USER-ID/`
* XML Metadata: Available by accessing the *Entity ID URL* above while logged in.
* NameID Format: Email address.
* SAML Version: 2.0

<figure><img src="https://495119770-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZtHmoGZNsmARIViZEdbz%2Fuploads%2FsShaSwYLts2ZXDEyrddJ%2Fsaml-card.png?alt=media&#x26;token=64c752c3-f72c-434a-ba24-a0cb556279ad" alt=""><figcaption><p>SAML Card</p></figcaption></figure>

Hosted Graphite can integrate with providers that support the SAML 2.0 specification. Example steps for connecting with some supported identity providers are listed below.

### [Azure Active Directory](#azure-active-directory)

**Create a Hosted Graphite integration with Azure AD**

1. Log in to the Azure AD portal, select your directory, then go to **Applications** and **Add**.
2. Click **Add an application from the gallery** then search for and select *Hosted Graphite*.
3. Open the Hosted Graphite application integration page, click **Configure single sign-on,** and then select **Azure AD Single Sign-On**.
4. Enter Identifier `https://CLUSTER.hostedgraphite.com/metadata/YOUR-USER-ID/`
5. Enter the Reply URL h`ttps://CLUSTER.hostedgraphite.com/complete/saml/YOUR-USER-ID/`
6. The final configuration screen shows the values required for the next step. Download your certificate from this page.

**Adding Azure AD provider details to Hosted Graphite**

1. Navigate to the SAML Setup page to enter details from the configuration screen of the Azure AD App.
   * In the Entity ID field, enter your *Issuer URL*.
   * In the SSO Login URL field, enter your *SAML SSO URL*.
   * In the Certificate text box, enter the contents of the certificate file you downloaded.
2. Select a default user role for new team members.
3. Click **Save**.

This information is also available in the [Azure documentation](https://azure.microsoft.com/en-us/documentation/articles/active-directory-saas-hostedgraphite-tutorial/).

### [Okta](#okta)

**Create a Hosted Graphite integration with Okta**

1. Login to the Okta portal, navigate to **Admin**, then **Applications**, and click **Create App Integration**.
2. Select the **SAML 2.0** option, name the app (e.g. Hosted Graphite), and upload the HG icon.
3. In **SAML Settings**, enter the **SSO URL** (found in the HG app SAML Setup as: Assertion Consumer Service URL) and **Audience URI** (found in the HG app SAML Setup as: Entity or Issuer ID).
4. Then set the **Name ID format** as: EmailAddress, **Application username** as: Email.
5. In the **Attribute Settings** section, set **Name** as: email, **Name Format** as: Basic, and **Value** as: user.email, and click **Next**.
6. Click on **View SAML Setup Instructions** to display the information required in the following steps.
7. Now you can navigate your Okta directory and assign people or groups to the HG application. Confirm any additional information for each user and click Done when finished.

**Adding Okta provider details to Hosted Graphite**

1. Navigate to the **SAML Setup** page within your main Hosted Graphite application.
2. Enter the details from Step 6 into the relevant fields, set the default user permissions, and click Save.
3. Your team users should now be able to access the Hosted Graphite application through their Okta instance.

This information is also available in the [Okta documentation](http://saml-doc.okta.com/SAML_Docs/Configure-SAML-2.0-for-Hosted-Graphite.html).

### [OneLogin](#onelogin)

**Create a Hosted Graphite integration with OneLogin**

1. Login to the OneLogin portal, go to **Apps** and then **Add Apps**.
2. Search for *Hosted Graphite* and select the SAML enabled app.
3. Click **Save** to add the app to your Company Apps and display additional configuration tabs.
4. In the **Configuration** tab, enter your HG User ID. This can be found on the SAML Setup page.
5. Click **Save**.
6. Go to the **SSO** tab to view the values you’ll copy into your Hosted Graphite account.

**Adding OneLogin provider details to Hosted Graphite**

1. Go to the SAML Setup page to enter the details from the **SSO** section of your OneLogin App.
   * In the Entity ID field, enter your *SAML Issuer URL*.
   * In the SSO Login URL field, enter your *SAML Endpoint HTTP URL*.
   * In the Certificate text box, enter your *X.509 Certificate*.
2. Select a default user role for new team members.
3. Click **Save**.

### [Ping Identity](#ping-identity)

**Create a Hosted Graphite integration with Ping Identity**

1. Login to the PingOne portal, go to **Applications**, click **Add Application** then **Search Application Catalog**.
2. Search for *Hosted Graphite* and select the SAML app and click **Setup**.
3. Download the Certificate to enter into Hosted Graphite later, and click **Continue to Next Step**.
4. Enter ACS URL `https://CLUSTER.hostedgraphite.com/complete/saml/YOUR-USER-ID/`
5. Enter Entity ID `https://CLUSTER.hostedgraphite.com/metadata/YOUR-USER-ID/`
6. Select **Continue to Next Step** twice and then **Save and Publish**.

**Adding Ping Identity provider details to Hosted Graphite**

1. In PingOne, go to **Applications** and select the app you just created.
2. In the Configuration section, **Issuer** is your Entity ID.
3. Your IDP ID used below is the last parameter of the **Initiate Single Sign-on URL**.
4. In `https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=${idpid} replace ${idpid}` with your IDP ID. This is your SSO Login URL.
5. Open the certificate file downloaded earlier with a text editor. This is your Certificate.
6. Go to the SAML Setup page and enter your Entity ID, SSO Login URL, and Certificate.
7. Select a default user role for new team members.
8. Click **Save**.

### [Salesforce](#salesforce)

**Create a Hosted Graphite integration with Salesforce**

1. Login to Salesforce, go to Settings, and search for “Identity Provider”.
2. Set Identity Provider to enabled, and go to **Connected Apps**.
3. Create a new connected app, and enter a Name and Email.
4. Enter Entity ID `https://wwCLUSTERw.hostedgraphite.com/metadata/YOUR-USER-ID/`
5. Enter ACS URL `https://CLUSTER.hostedgraphite.com/complete/saml/YOUR-USER-ID/`
6. Set NameID format to `emailAddress`.
7. Click **Save**.

**Adding Salesforce provider details to Hosted Graphite**

1. In Salesforce, go to **Manage Connected Apps** from Settings and open the app you just created.
2. Under SAML Service Provider Settings, *Issuer* is your Entity ID.
3. Under SAML Login Information, *SP-Initiated Redirect Endpoint* is your SSO Login URL.
4. Under SAML Service Provider Settings, click the name of your certificate and then *Download Certificate*.
5. Go to our SAML Setup page and enter your Entity ID, SSO Login URL, and Certificate.
6. Select a default user role for new team members.
7. Click **Save**.

### [Auth0](#auth0)

**Create a Hosted Graphite integration with Auth0**

1. Login to Auth0, select Add New Application and Single Page Web App.
2. Go to Addons and select SAML2 Web App.
3. Enter the Application Callback URL `https://CLUSTER.hostedgraphite.com/complete/saml/YOUR-USER-ID/`
4. Replace the Settings JSON field with the content below:

```
{
  "audience": "https://CLUSTER.hostedgraphite.com/metadata/YOUR-USER-ID/",
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  ]
}
```

5. Click **Save**.

**Adding Auth0 provider details to Hosted Graphite**

1. Go to the Addons section of the new Auth0 App and select **SAML2 Web App**.
2. Under the Usage tab, *Issuer* is your Entity ID.
3. *Identity Provider Login URL* is your SSO Login URL.
4. *Identity Provider Certificate* is your Certificate.
5. Go to the SAML Setup page and enter your Entity ID, SSO Login URL, URL and Certificate.
6. Select a default user role for new team members.
7. Click **Save**.

**Notes**

1. The team’s primary Hosted Graphite account will continue to log in without SAML. This cannot currently be changed.
2. Existing users cannot be signed in via SAML. Please get [in touch with support](mailto:support%40hostedgraphite.com) if you would like that changed.
3. New users **must** signup via the single-sign-on URL provided by the 3rd party provider, and not via the Hosted Graphite user interface. This is especially important for Azure SAML login.