# SAML

## SAML Authorization for Spinnaker <a href="#saml-authorization-for-spinnaker" id="saml-authorization-for-spinnaker"></a>

### SAML Auth Overview <a href="#saml-auth-overview" id="saml-auth-overview"></a>

* SAML use case is a special one - it’s the only one where a user’s roles cannot be dynamically updated. This is because the user’s roles are sent in the initial authentication handshake between Gate and the SAML Identity Provider (IdP).

### Setup IdP on Spinnaker <a href="#setup-idp-on-spinnaker" id="setup-idp-on-spinnaker"></a>

* To enable SAML roles, configure IdP to include group membership in the assertion (not covered
* some providers may not offer this option). By default, Gate looks for the 'memberOf' attribute statement, but this can be reconfigured in Gate’s settings.
* When Fiat is enabled, SAML groups are automatically pushed to Fiat upon user login and cannot be updated until the user needs to reauthenticate.

### SAML Auth Configuration <a href="#saml-auth-configuration" id="saml-auth-configuration"></a>

* The Advantage of using SAML roles, is that the user roles are pushed to fiat automatically. Hence, no further configurational changes are required.