SAML 2 Configuration

Follow the below instructions to enable SAML2 configuration.

To enable SAML2 Configuration, add the below config in the values file

a. Please make the global.installOpenLdap and global.ldap section to false.

b. Update global.auth.saml to false.

c. Update gate.config.saml to true.

d. Copy the below block of code to values.yaml.

spring:
 security:
  saml2:
    enabled: true
    registration-id: SSO
    relyingparty:
      registration:
        SSO:
          entity-id: ${entityId}
          acs:
           location: https://${locationurl}/saml/SSO
          assertingparty:
            metadata-uri: https://${metadatauri}/sso/saml/metadata
          decryption:
            credentials:
              - private-key-location: file:/opt/saml/certs/key.pem
                certificate-location: file:/opt/saml/certs/cert.pem
            singlesignon.sign-request: true
    user-attribute-mapping:
      email: email
      firstName: firstName
      lastName: lastName
      roles:
        attributeName: memberOf
        sortRoles: true
        forceLowercaseRoles: true
        rolesDelimiter: ","
    signatureDigest: SHA256
    userSource: gate

e. Update okta groups under global.saporgate config ( Specify the groups you want to see in isd)

saporgate:
  config:
    username: admin # Admin user of saml
    adminGroups: admin ## (groups defined here will have superAdmin privileges in Autopilot)

Create cert+key pair using the command given below:

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out
cert.pem

Create a secret to store the key.pem and cert.pem by executing the command below:

kubectl create secret generic samlcerts --from-file key.pem --from-file
cert.pem -n namespace

Add the below code to gate deployment volumes and volume mounts.

volumes:
- name: samlcerts
  secret:
    defaultMode: 420
    items:
    - key: key.pem
      path: key.pem
    - key: cert.pem
      path: cert.pem
    secretName: samlcerts

volumeMounts:
- mountPath: /opt/saml/certs
  name: samlcerts
  readOnly: true

Remove the below code from gate deployment volumes and volume mounts.

volumeMounts:
- mountPath: /opt/spinnaker/saml/oessaml.jks
  name: saml-jks
  subPath: oessaml.jks
- mountPath: /opt/spinnaker/saml/oesmetadata.xml
  name: metadata-xml
  subPath: oesmetadata.xml

volumes:
- name: saml-jks
  secret:
    defaultMode: 420
    secretName: oessamljks
- name: metadata-xml
  secret:
    defaultMode: 420
    secretName: oesmetadataxml

The SAML2 is configured successfully.

PreviousSteps to Generate Token for Agent/Controller v5.x NextController and Agent Changes for 4.1.7

Last updated 1 year ago