# SAML 2 Configuration

Follow the below instructions to enable SAML2 configuration. 

1. To enable SAML2 Configuration, add the below config in the values file

     a. Please make the `global.installOpenLdap` and `global.ldap` section to false. 

     b. Update `global.auth.saml` to false.

     c. Update `gate.config.saml` to true.

     d. Copy the below block of code to values.yaml. 

```
spring:
 security:
  saml2:
    enabled: true
    registration-id: SSO
    relyingparty:
      registration:
        SSO:
          entity-id: ${entityId}
          acs:
           location: https://${locationurl}/saml/SSO
          assertingparty:
            metadata-uri: https://${metadatauri}/sso/saml/metadata
          decryption:
            credentials:
              - private-key-location: file:/opt/saml/certs/key.pem
                certificate-location: file:/opt/saml/certs/cert.pem
            singlesignon.sign-request: true
    user-attribute-mapping:
      email: email
      firstName: firstName
      lastName: lastName
      roles:
        attributeName: memberOf
        sortRoles: true
        forceLowercaseRoles: true
        rolesDelimiter: ","
    signatureDigest: SHA256
    userSource: gate
```

   e. Update okta groups under **global.saporgate** config ( Specify the groups you want to see in isd)

{% code overflow="wrap" %}

```
saporgate:
  config:
    username: admin # Admin user of saml
    adminGroups: admin ## (groups defined here will have superAdmin privileges in Autopilot)
```

{% endcode %}

2. Create cert+key pair using the command given below:

```
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out
cert.pem
```

Create a secret to store the key.pem and cert.pem by executing the command below:

```
kubectl create secret generic samlcerts --from-file key.pem --from-file
cert.pem -n namespace
```

3. Add the below code to gate deployment volumes and volume mounts.

```
volumes:
- name: samlcerts
  secret:
    defaultMode: 420
    items:
    - key: key.pem
      path: key.pem
    - key: cert.pem
      path: cert.pem
    secretName: samlcerts
```

```
volumeMounts:
- mountPath: /opt/saml/certs
  name: samlcerts
  readOnly: true
```

4. Remove the below code from gate deployment volumes and volume mounts. 

```
volumeMounts:
- mountPath: /opt/spinnaker/saml/oessaml.jks
  name: saml-jks
  subPath: oessaml.jks
- mountPath: /opt/spinnaker/saml/oesmetadata.xml
  name: metadata-xml
  subPath: oesmetadata.xml
```

```
volumes:
- name: saml-jks
  secret:
    defaultMode: 420
    secretName: oessamljks
- name: metadata-xml
  secret:
    defaultMode: 420
    secretName: oesmetadataxml
```

The SAML2 is configured successfully.