SAML
SAML Authorization for Spinnaker
SAML Auth Overview
- SAML use case is a special one - it’s the only one where a user’s roles cannot be dynamically updated. This is because the user’s roles are sent in the initial authentication handshake between Gate and the SAML Identity Provider (IdP). 
Setup IdP on Spinnaker
- To enable SAML roles, configure IdP to include group membership in the assertion (not covered 
- some providers may not offer this option). By default, Gate looks for the 'memberOf' attribute statement, but this can be reconfigured in Gate’s settings. 
- When Fiat is enabled, SAML groups are automatically pushed to Fiat upon user login and cannot be updated until the user needs to reauthenticate. 
SAML Auth Configuration
- The Advantage of using SAML roles, is that the user roles are pushed to fiat automatically. Hence, no further configurational changes are required. 
Last updated
