Required Permission: Settings management (Read more about permissions in User Groups)

Table of Contents

Graphlytic supports Single sign-on integration with external Identity Providers (IdP) using the SAML2 protocol.

1. How it works

When the SAML2 integration is enabled the Login page includes an SSO login option (the title of the button is configurable).

After clicking on the "External SSO" option the user is redirected to the login page of the Identity Provider.

After successful login on the Identity Provider side and redirect back to the Graphlytic application the user is logged into the application with these possible scenarios:

  1. The user already exists in Graphlytic: then the user is logged into the application and his user group mappings are updated according to the information received from IdP and mapping defined in the SAML2 integration configuration.

  2. The user is not yet created in Graphlytic: then the user is created (if the licensed amount of users was not reached yet) and his user group mappings are updated according to the information received from IdP and mapping defined in the SAML2 integration configuration. In order to correctly log in, a user has to be assigned to at least one User Group based on group (LDAP) mapping. If you want to make sure that the user can always log in, please fill out the "Fallback group", which will be assigned to users with no group during the identity provisioning process.

2. Configuration

2.1. Identity Provider connection configuration

To update SSO settings use the Single Sign-On panel on the Settings page.

UI field

Example value


Single Sign-On enabled

Switch for turning on/off the Single Sign-On functionality.

Login Label

Sign in with SSO

Title of the Login page button. If missing the Name of IdP will be used instead.

Verifying certificate



IdP certificate for IdP signing verification. This certificate is used to verify that the response is correct and that it was sent from the contacted IdP.

Decryption certificate



IdP certificate for decryption. Can be empty for no encryption of communication with the IdP. If defined, this certificate is used to decrypt messages from IdP.

IdP entity ID


The IdP entity identifier (Asserting Party Entity Id).

Graphlytic entity ID


The local application (Graphlytic) ID for IdP communication. Has to be created in the IdP configuration.

SSO Redirect URL

Login redirect URL. The user will be redirected to this location during the login workflow.

Assertion Consumer URL

Assertion URL where the successfully logged-in user is redirected back from the IdP. If not defined a default value is used (this value is sent in the IdP request and some IdPs are automatically reading and using this value).

Group claim


The claim name in the returned XML where the user group mappings are returned.

Fallback group



Name of a Graphlytic user group that will be used if no mapping was successful. If the Fallback group is not configured or the group doesn't exist in Graphlytic then such user (with no user groups) is not created in Graphlytic (to minimize license consumption).

2.2. User groups mapping

Mapping of LDAP groups stored in the Identity Provider to Graphlytic groups is done in the User Groups management. Every Graphlytic user group can have assigned multiple LDAP groups that will be used to map them to the Graphlytic groups during the user's login process.

2.3. Default Configuration

The default configuration can be overridden in the graphlytic.conf file (application needs to be restarted after any change in this conf file).

More information can be found on the Configuration page.

3. Example configuration of Azure Active Directory

Azure active directory can be used as an SSO provider with Graphlytic.

We assume the tenant, app registration, user, and group are successfully created using Microsoft manual.


Example Value


Verifying Certificate



Depending on your infrastructure, there could be a need to set the certificate needed to verify the SAML assertion.

See chapter "3.1. VERIFYING CERTIFICATE" for more information

IdP entity ID

Should be in the form of "{TENANT_ID}/"

In our example {TENANT_ID} is 87654321-4321-4321-4321-3d7hh723f7

Please do not forget the slash “/” and the end of the IdP entity ID string

See chapter "3.2. TENANT ID" for more information

Graphlytic entity ID


Should be in the form of "spn:{Application_ID}",

in our example {Application_ID} = 12345678-1234-1234-1234-971777321736

See chapter "3.3. APPLICATION ID" for more information

SSO Redirect URL

SAML-P sign-on endpoint

See chapter "3.4. SAML-P" for more information

Assertion Consumer URL

The url must end with /login/saml2/sso/{Name of IdP}

This value is set in Azure Active Directory → App Registration → Redirect URIs

See chapter "3.5. REDIRECT URLS" for more information


Verifying certificate is part of the “Federation metadata document” that can be downloaded using the link in the Endpoints panel (see picture below).

In the metadata XML file the certificate is located under: EntityDescriptor → Signature → KeyInfo → X509Data → X509Certificate

Please use the whole text beginning with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----



3.4. SAML-P