From 197041a1caa484e04b9328322657b4740a3d224a Mon Sep 17 00:00:00 2001 From: KoryKessel-Mirantis Date: Fri, 30 Aug 2024 00:04:59 +0200 Subject: [PATCH 1/2] Add ssoMetadataURL use example to SAML topic. --- .../authentication/SAML-providers/SAML.md | 43 ++++++++++++++++--- 1 file changed, 37 insertions(+), 6 deletions(-) diff --git a/content/docs/operations/authentication/SAML-providers/SAML.md b/content/docs/operations/authentication/SAML-providers/SAML.md index 1a9f76a5..0722bfc9 100644 --- a/content/docs/operations/authentication/SAML-providers/SAML.md +++ b/content/docs/operations/authentication/SAML-providers/SAML.md @@ -4,11 +4,10 @@ weight: 3 --- You can configure SAML (Security Assertion Markup Language) for MKE 4 through -the `authentication` section of the MKE configuration file. -To enable the service, set `enabled` to `true`. -The remaining fields in the `authentication.saml` section are used to configure -the SAML provider. -For information on how to obtain the field values, refer to your chosen provider: +the `authentication` section of the MKE configuration file. To enable the +service, set `enabled` to `true`. The remaining fields in the +`authentication.saml` section are used to configure the SAML provider. For +information on how to obtain the field values, refer to your chosen provider: - [Okta](SAML-OKTA-configuration) @@ -36,7 +35,7 @@ The MKE configuration file `authentication.smal` fields are detailed below: | `groupsDelim` | Optional. If groups are assumed to be represented as a single attribute, this delimiter splits the attribute value into multiple groups. | | `nameIDPolicyFormat` | Requested name ID format. | -An example configuration for SAML: +### Example SAML configuration: ```yaml authentication: @@ -49,6 +48,38 @@ authentication: emailAttr: email ``` +### Example `ssoMetadataURL` use: + +You can retrieve information for all of the SAML configurations in your MKE +cluster by accessing the URL configured to `ssoMetadataURL` in the MKE +configruation file. + +Example `ssoMetadataURL` URL: + +```bash +https://dev-64105006.okta.com/app/exk75pi5do2MzU1t95r7/sso/saml/metadata +``` + +Example output: + +```bash + + + + + +MIIDqDCCApCgAwIBAgIGAYRZVRraMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTeWMBQGA1UEBwwNU2FuIEZyYW5jaXNjszENMAsGA1UECgwET2t0YTEU MBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGRldi02NDEwNTAwNjEcMBoGCSqGSIb3DQEJ ARYNaW5mb0Bva3RhLmNvbTAeFw0yMjExMDgyMjIwMDBaFw0zMjExMDgyMjIxMDBaMIGUMQswCQYD VQQGEwJVUzETMBEGA1UECAwKQ2FsaWevcmcpYTEqMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG A1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGRldi02NDEwNTAwNjEc MBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCdSIwDQYJKoZIhvcNAcEBBQADggEPADCCAQoC ggEBAMBMAL7j8+FckMRBx9nIllViMRF8Ah/Gfxnjm4r3LqSdAkMnG4lch7jPNxwy43oOzeO55Ee2 oOqO5RyY0LxhNhGgITzMU1l/I7j6Z/T845aaoadkFe6AHr4sA1PWquw7fPRIgVhDJUbBvtPwf8SI +ncMSkoulQ+FitheN8n+o/7obEfKQxvSbdTudDZgPtPAY2G9VMjhYVnwked9u8ZrAj3IckS6UWlB WV/BG/XDn2wawuQco2/sR3qhUi6cvIpXtSkArW4LCqp2PZH/ItgaTSR+UjfiIaQQBUvUq2E2JGO6 SiuGWjNHGo6+S0cT2rgkTKSqLzjME9BeSw9J45HtmY0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA LoOtDbvh9vQdCpjZ4enLdBBls2cIr7/YRl43Sv0MGcckQYwOk9OZg9uuMsUJTp6fkbjy1kBfbj7R ZSqNTtQGMs8V30kxCfpxFOBUOm6f/pKJvGqkDjOXMLaWMuwM+j//LYw8N9EIEnH8aN4e7sitHL3L ORpQ8I+M9lRUATgzUaz59dLNHHO9sg5ikDE2kL84U9nQAMDXc+vsUordGRUotVlvIuXT8Hv63OSS akpuYR4Jx9l9XV4nOufhmAZh2dKJKd7c+wlQuJNL+xBEax2F6qQfCjzLEnWEx5wt3vT0EtCGLBOU ZIBHiRNuPYueZ9PdRkpWJpscyjZsfbgzhMCbRg== + + + +urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified +urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + + + + +``` + ## Test authentication flow {{< callout type="info" >}} From b4c11fbe7b3283feaec3ddaf886c0a77529373bb Mon Sep 17 00:00:00 2001 From: KoryKessel-Mirantis Date: Fri, 30 Aug 2024 00:57:44 +0200 Subject: [PATCH 2/2] Edits in response to comments from NNeisen. --- .../authentication/SAML-providers/SAML.md | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/content/docs/operations/authentication/SAML-providers/SAML.md b/content/docs/operations/authentication/SAML-providers/SAML.md index 0722bfc9..fe15fa53 100644 --- a/content/docs/operations/authentication/SAML-providers/SAML.md +++ b/content/docs/operations/authentication/SAML-providers/SAML.md @@ -9,7 +9,7 @@ service, set `enabled` to `true`. The remaining fields in the `authentication.saml` section are used to configure the SAML provider. For information on how to obtain the field values, refer to your chosen provider: -- [Okta](SAML-OKTA-configuration) +- [Okta](../SAML-providers/SAML-OKTA-configuration) For more information, refer to the official DEX documentation [Authentication through SAML 2.0](https://dexidp.io/docs/connectors/saml/). @@ -21,7 +21,7 @@ The MKE configuration file `authentication.smal` fields are detailed below: | Field | Description | |-----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `enabled` | Enable authentication through dex. | -| `ssoMetadataURL` | Metadata URL provided by some IdPs, with which MKE can retrieve information for all other SAML configurations. | +| `ssoMetadataURL` | Metadata URL provided by some IdPs, with which MKE can retrieve information for all other SAML configurations.

When a URL is provided for `ssoMetadataURL`, the other SAML fields are not required. | | `ca` | Certificate Authority (CA) alternative to `caData` to use when validating the signature of the SAML response. Must be manually mounted in a local accessible by dex. | | `caData` | CA alternative to `ca`, which you can use to place the certificate data directly into the config file. | | `ssoURL` | URL to provide to users to sign into MKE 4 with SAML. Provided by the IdP. | @@ -48,21 +48,15 @@ authentication: emailAttr: email ``` -### Example `ssoMetadataURL` use: +## Use `ssoMetadataURL` ## You can retrieve information for all of the SAML configurations in your MKE cluster by accessing the URL configured to `ssoMetadataURL` in the MKE configruation file. -Example `ssoMetadataURL` URL: +Example of information provided when you access the `ssoMetadataURL` URL: -```bash -https://dev-64105006.okta.com/app/exk75pi5do2MzU1t95r7/sso/saml/metadata -``` - -Example output: - -```bash +```shell