Skip to content

SAML

SAML Overview

  • SAML (Security Assertion Markup Language) is an open standard source that allows to pass authentication and authorization credentials within SAML providers.
  • SAML has two types of providers
    1. Service Provider
    2. Identity Provider
  • In Spinnaker, we explore the methods to setup Identity provider. During the authentication process, a cryptographically signed XML will be sent to the API gateway (Gate) with user identity information to confirm authentication and authorization.

Identity Provider Setup

  • Download the metadata.xml file from SAML Identity Provider (IdP). Content in the metadata, looks something similar to the content available in the below attached text file SAML-IdP-metadata.txt
  • Create a Spinnaker SAML Application.
  • Specify the login URL as https://localhost:8084/saml/SSO. Replace “localhost” with Gate’s address, if available.
  • Provide a unique entity ID.
  • Enable all the users who will be accessing the Spinnaker Instance.
  • Execute the below command, to generate a keystore and key in a new Java Keystore with password

        keytool -genkey -v -keystore saml.jks -alias saml -keyalg RSA -keysize 2048 -
        validity 10000
    

  • To re-deploy halyard, execute the following command

    $KEYSTORE_PATH= # /path/to/keystore.jks
    $KEYSTORE_PASSWORD=hunter2
    $METADATA_PATH= # /path/to/metadata.xml
    $SERVICE_ADDR_URL=https://localhost:8084
    $ISSUER_ID=spinnaker.test
    hal config security authn saml edit \
    --keystore $KEYSTORE_PATH
    --keystore-alias saml
    
    --keystore-password $KEYSTORE_PASSWORD
    --metadata $METADATA_PATH
    --issuer-id $ISSUER_ID \
    --service-address-url $SERVICE_ADDR_URL
    hal config security authn saml enable
    

Note

Append /gate to the ‘service-address-url’ while trying to access quickstart images.

Next Steps

  • Now that the SAML setup for Spinnaker authentication is completed, proceed further to setup authorization.

Comments