Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ssoMetadataURL use example to SAML topic. #79

Closed
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 33 additions & 8 deletions content/docs/operations/authentication/SAML-providers/SAML.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,12 @@ weight: 3
---

You can configure SAML (Security Assertion Markup Language) for MKE 4 through
the `authentication` section of the MKE configuration file.
To enable the service, set `enabled` to `true`.
The remaining fields in the `authentication.saml` section are used to configure
the SAML provider.
For information on how to obtain the field values, refer to your chosen provider:
the `authentication` section of the MKE configuration file. To enable the
service, set `enabled` to `true`. The remaining fields in the
`authentication.saml` section are used to configure the SAML provider. For
information on how to obtain the field values, refer to your chosen provider:

- [Okta](SAML-OKTA-configuration)
- [Okta](../SAML-providers/SAML-OKTA-configuration)

For more information, refer to the official DEX documentation
[Authentication through SAML 2.0](https://dexidp.io/docs/connectors/saml/).
Expand All @@ -22,7 +21,7 @@ The MKE configuration file `authentication.smal` fields are detailed below:
| Field | Description |
|-----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `enabled` | Enable authentication through dex. |
| `ssoMetadataURL` | Metadata URL provided by some IdPs, with which MKE can retrieve information for all other SAML configurations. |
| `ssoMetadataURL` | Metadata URL provided by some IdPs, with which MKE can retrieve information for all other SAML configurations.<br><br>When a URL is provided for `ssoMetadataURL`, the other SAML fields are not required. |
| `ca` | Certificate Authority (CA) alternative to `caData` to use when validating the signature of the SAML response. Must be manually mounted in a local accessible by dex. |
| `caData` | CA alternative to `ca`, which you can use to place the certificate data directly into the config file. |
| `ssoURL` | URL to provide to users to sign into MKE 4 with SAML. Provided by the IdP. |
Expand All @@ -36,7 +35,7 @@ The MKE configuration file `authentication.smal` fields are detailed below:
| `groupsDelim` | Optional. If groups are assumed to be represented as a single attribute, this delimiter splits the attribute value into multiple groups. |
| `nameIDPolicyFormat` | Requested name ID format. |

An example configuration for SAML:
### Example SAML configuration:

```yaml
authentication:
Expand All @@ -49,6 +48,32 @@ authentication:
emailAttr: email
```

## Use `ssoMetadataURL` ##

You can retrieve information for all of the SAML configurations in your MKE
KoryKessel-Mirantis marked this conversation as resolved.
Show resolved Hide resolved
cluster by accessing the URL configured to `ssoMetadataURL` in the MKE
configruation file.

Example of information provided when you access the `ssoMetadataURL` URL:

```shell
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/exk75pi5do2MzU1t95r7">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDqDCCApCgAwIBAgIGAYRZVRraMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTeWMBQGA1UEBwwNU2FuIEZyYW5jaXNjszENMAsGA1UECgwET2t0YTEU MBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGRldi02NDEwNTAwNjEcMBoGCSqGSIb3DQEJ ARYNaW5mb0Bva3RhLmNvbTAeFw0yMjExMDgyMjIwMDBaFw0zMjExMDgyMjIxMDBaMIGUMQswCQYD VQQGEwJVUzETMBEGA1UECAwKQ2FsaWevcmcpYTEqMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG A1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGRldi02NDEwNTAwNjEc MBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCdSIwDQYJKoZIhvcNAcEBBQADggEPADCCAQoC ggEBAMBMAL7j8+FckMRBx9nIllViMRF8Ah/Gfxnjm4r3LqSdAkMnG4lch7jPNxwy43oOzeO55Ee2 oOqO5RyY0LxhNhGgITzMU1l/I7j6Z/T845aaoadkFe6AHr4sA1PWquw7fPRIgVhDJUbBvtPwf8SI +ncMSkoulQ+FitheN8n+o/7obEfKQxvSbdTudDZgPtPAY2G9VMjhYVnwked9u8ZrAj3IckS6UWlB WV/BG/XDn2wawuQco2/sR3qhUi6cvIpXtSkArW4LCqp2PZH/ItgaTSR+UjfiIaQQBUvUq2E2JGO6 SiuGWjNHGo6+S0cT2rgkTKSqLzjME9BeSw9J45HtmY0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA LoOtDbvh9vQdCpjZ4enLdBBls2cIr7/YRl43Sv0MGcckQYwOk9OZg9uuMsUJTp6fkbjy1kBfbj7R ZSqNTtQGMs8V30kxCfpxFOBUOm6f/pKJvGqkDjOXMLaWMuwM+j//LYw8N9EIEnH8aN4e7sitHL3L ORpQ8I+M9lRUATgzUaz59dLNHHO9sg5ikDE2kL84U9nQAMDXc+vsUordGRUotVlvIuXT8Hv63OSS akpuYR4Jx9l9XV4nOufhmAZh2dKJKd7c+wlQuJNL+xBEax2F6qQfCjzLEnWEx5wt3vT0EtCGLBOU ZIBHiRNuPYueZ9PdRkpWJpscyjZsfbgzhMCbRg==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://dev-64105006.okta.com/app/dev-63105106_mke_2/exk75pi5do2MzU1t95r7/sso/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://dev-63105106.okta.com/app/dev-63105106_mke_2/exk75pi5do2MzU1t95r7/sso/saml"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
```

## Test authentication flow

{{< callout type="info" >}}
Expand Down