Single sign-on

Required Permission: Settings management (Read more about Permissions)

Table of Contents

Graphlytic supports Single sign-on integration with external Identity Providers using the SAML2 protocol.

How it works

When the SAML2 integration is enabled (configured in graphlytic.conf or using environment variables) the Login page includes an SSO login option (title of the button is configurable).


After clicking on the "External SSO" option the user is redirected to the login page of the IdP.

After successful login on the IdP side and redirect back to the Graphlytic application the user is logged into the application with these possible scenarios:

  1. The user already exists in Graphlytic: then the user is logged into the application and his user group mappings are updated according to the information received from IdP and mapping defined in the SAML2 integration configuration.

  2. The user is not yet created in Graphlytic: then the user is created (if the licensed amount of users was not reached yet) and his user group mappings are updated according to the information received from IdP and mapping defined in the SAML2 integration configuration. In order to correctly log in, a user has to be assigned to at least one User Group based on group (LDAP) mapping. If you want to make sure that the user can always log in, please fill out the "Fallback group", which will be assigned to users with no group during the identity provisioning process.


IdP connection configuration

To update SSO settings use the Single Sign-On panel on the Settings page.


UI field

Example value


Single Sign-On enabled

Switch for turning on/off the Single Sign-On functionality.

Name of IdP

External SSO

Title of the Login page button.

Verifying certificate


Path to the IdP certificate for IdP signing verification. This certificate is used to verify that the response is correct and that it was sent from the contacted IdP.

Decryption certificate


Path to the IdP certificate for decryption. Can be empty for no encryption of communication with the IdP. If defined, this certificate is used to decrypt messages from IdP.

IdP entity ID


The IdP entity identifier (Asserting Party Entity Id).

Graphlytic entity ID


The local application (Graphlytic) ID for IdP communication. Has to be created in the IdP configuration.

SSO Redirect URL

Login redirect URL. The user will be redirected to this location during the login workflow.

Assertion Consumer URL

Assertion URL where the successfully logged-in user is redirected back from the IdP. If not defined a default value is used (this value is sent in the IdP request and some IdPs are automatically reading and using this value).

Group claim


The claim name in the returned XML where the user group mappings are returned.

Fallback group


Name of a Graphlytic user group that will be used if no mapping was successful. If the Fallback group is not configured or the group doesn't exist in Graphlytic then such user (with no user groups) is not created in Graphlytic (to minimize license consumption).

User groups mapping

Mapping of LDAP group stored in the IdP to Graphlytic groups is done in the Groups management. Every Graphlytic user group can have assigned multiple LDAP groups that will be used to map them to the Graphlytic groups during the user's login process.


Default Configuration

The default configuration can be overridden in the graphlytic.conf file (application needs to be restarted after any change in this conf file).

More information can be found on the Configuration page.