SAML

You can configure SAML (Security Assertion Markup Language) for MKE 4 through the authentication.saml section of the MKE configuration file.

SAML example configuration:

authentication:
  saml:
    enabled: true
    ssoURL: https://dev64105006.okta.com/app/dev64105006_mke4saml_1/epkdtszgindywD6mF5s7/sso/saml
    usernameAttr: name
    emailAttr: email

Configure SAML service for MKE

In the MKE configuration file authentication.saml section, enable your SAML service by setting enabled to true. Use the remaining fields, which are defined in the following table, to configure your chosen SAML provider.

ℹ️
For information on how to obtain the field values, refer to Setting up Okta as a SAML provider.
FieldDescription
enabledEnable authentication through dex.
ssoMetadataURLMetadata URL provided by some IdPs, with which MKE can retrieve information for all other SAML configurations.

When a URL is provided for ssoMetadataURL, the other SAML fields are not required.
caCertificate Authority (CA) alternative to caData to use when validating the signature of the SAML response. Must be manually mounted in a local accessible by dex.
caDataCA alternative to ca, which you can use to place the certificate data directly into the config file.
ssoURLURL to provide to users to sign into MKE 4 with SAML. Provided by the IdP.
insecureSkipSignatureValidationOptional. Use to skip the signature validation. For testing purposes only.
usernameAttrUsername attribute in the returned assertions, to map to ID token claims.
emailAttrEmail attribute in the returned assertions, to map to ID token claims.
groupsAttrOptional. Groups attribute in the returned assertions, to map to ID token claims.
entityIssuerOptional. Include as the Issuer value during authentication requests.
ssoIssuerOptional. Issuer value that is expected in the SAML response.
groupsDelimOptional. If groups are assumed to be represented as a single attribute, this delimiter splits the attribute value into multiple groups.
nameIDPolicyFormatRequested name ID format.

Test authentication flow

  1. Navigate to http://{MKE hostname}/dex/login.
  2. Click Login to display the login page.
  3. Select Log in with SAML.
  4. Enter your credentials and click Sign In. If authentication is successful, you will be redirected to the client applications home page.
Last updated on