Single Sign-on (SSO)

The settings on this page are related to set up Single Sign-on (SSO) on TigerGraph. This page does not appear on the Admin Portal for TigerGraph Cloud solutions because of the unified User Authentication system present in TigerGraph Cloud.

sso page

Service provider information

When you configure SSO on TigerGraph with a trusted identity provider, TigerGraph is the service provider.

Hostname

The URL at which you access GraphStudio.

X509 certificate and private key

In SAML 2.0, you have the option of signing the SAML requests made to the identity provider. To sign a request, TigerGraph uses the X509 certificate and private key provided here.

There are two ways of providing the X509 certificate and private key:

  • Upload files.

    • Click the file upload button next to the input box, and a drop-down menu for uploading files will appear. Click the upload file option to upload the desired file.

      sso file upload
  • Generate a self-signed certificate.

    • Click the file upload button next to the input box, and a drop-down for uploading files will appear. Click the Self sign button. There will be a pop-up box to fill in the information. Items marked with * are required.

      self sign

Identity provider information

These fields provide information on your identity provider. You should be able to obtain the correct values for these fields from your identity provider.

  • Entity ID

  • SSO URL

  • X509 certificate

Security options

At the bottom of the SSO page are a list of security options you can configure for SSO:

  • Sign authentication requests before sending to Identity Provider

  • Require Identity Provider to sign responses

  • Require Identity Provider to sign assertions

  • Require Identity Provider to sign metadata

  • Signature algorithm

  • Authentication context

    • An attribute that defines how a user should log in.

    • Example value: urn:oasis:names:tc:SAML:2.0:ac:classes:Password

It is recommended that you enable as many of the options as possible for maximum security. However, some identity providers do not support enabling certain options at the same time. Refer to your identity provider’s documentation to determine which options to use: