We are happy to introduce native OpenID Connect-based Single Sign-On support in Grafbase Enterprise Platform for seamless authentication across your organization, without extra infrastructure or intermediate components. The Grafbase API and Dashboard now integrate directly with your identity provider, without the need for the additional Zitadel service we previously required.
With this change, Grafbase becomes the first 100% self-hostable (air-gapped) GraphQL Federation platform that integrates with your identity provider directly, without any intermediate services deployed alongside the platform.
This simplifies the setup process for the Enterprise Platform in your own infrastructure and minimizes the components involved in the authentication process for users logging in with the dashboard or the CLI. Security audits have one fewer component to evaluate, and you have one fewer stateful service to run. The authorization server is now your own IdP, without any intermediate service. We wrote step-by-step guides to set up GitLab and Okta, but any OpenID Connect-compliant identity provider can be used.
OpenID Connect (OIDC), with its Authorization Code Grant flow, has become a widely adopted and robust standard for user authentication. Enterprise organizations have standardized on OIDC-compliant identity providers like Google, Okta, Auth0, GitLab, and Microsoft Entra ID for their federated authentication and user directory needs. Integrating this standard directly in the Grafbase API and Dashboard means we can entirely delegate the authentication concern to existing infrastructure and minimize the components involved in the authentication process, which is a win for security and ease of deploying and managing the Enterprise Platform.
Direct integration also means easier integration with custom claims and scopes, which we intend to leverage for fine-grained authorization within the Enterprise Platform.
The Enterprise Platform can automatically add users it encounters for the first time to the right organizations, based on their OIDC groups. You can assign a Grafbase organization to a group in your IdP, and any user that is a member of that group will automatically become a member of the corresponding organization. We will extend this to individual teams inside an organization as we work on fine-grained authorization in the coming weeks and months.
For more details, see our GitLab and Okta guides.
If you want to try this yourself, you can check out the corresponding docs page. If you are interested in a guide on integrating a different identity provider, or if you have thoughts to share on authentication and authorization, please reach out!