Configure SSO Authentication with SAML
- Suryakant Kashyap
- Roza Leyderman
From Customers:
Setup your SAML provider IdP following the steps provided in the link below for your Idp. For e.g. - For Google based SAML login, follow the steps
Set up your own custom SAML application for Google SAML | BoxyHQ
Enter following values in the Service provider details section:
ACS URL - https://<your kloudfuse domain name>/api/oauth/saml
Entity ID - https://<your kloudfuse domain name>/samlresponseGenerate Metadata (XML file) and save the file. Provide it to kloudfuse. It’s required to configure the kloudfuse connection with your SAML provider.
SAML Setup in Kloudfuse:
A. Metadata-Secret Setup
Rename the obtained metadata (XML) file from the customer to “kfuse.xml” exactly.
OR
If the customer provided you with a url to the metadata file, then do a curl on the url and save its output to the “kfuse.xml” file name exactly. Save this directly in the customer’s terminal.
curl {metadata xml file url} > kfuse.xmlIn the customer’s cluster and appropriate namespace, run this command
kubectl create secret generic kfuse-xml --from-file=kfuse.xml
If kfuse-xml secret exists already and if you are re-creating it, then follow the steps in the troubleshooting section below.
B. In the environment values.yaml file -
Enable the
kfuse-samlflag to true in the “global“ section of the environment file.Set the
dnsNametag to the customer’s kloudfuse domain name.
Set the flag
saml-provider-nameto the customer’s SAML provider name in kfuse-auth config.Set the flag
existingSecret: "kfuse-auth-saml"in the config section of oauth2-proxy inkfuse-authsection.For example, for Okta as the SAML provider -
Now, do the general upgrade using the environment’s file.
Troubleshooting steps
Exec into kfuse-configdb shell using command -
psql into the postgres using command -
It will ask for password for postgres. Provide that.
Check if
samldbdatabase exists using the command-Delete and create the table
samldb