SAML
You can configure SAML (Security Assertion Markup Language) for MKE 4 through
the authentication
section of the MKE configuration file.
To enable the service, set enabled
to true
.
The remaining fields in the authentication.saml
section are used to configure
the SAML provider.
For information on how to obtain the field values, refer to your chosen provider:
For more information, refer to the official DEX documentation Authentication through SAML 2.0.
Configure MKE
The MKE configuration file authentication.smal
fields are detailed below:
Field | Description |
---|---|
enabled | Enable authentication through dex. |
ssoMetadataURL | Metadata URL provided by some IdPs, with which MKE can retrieve information for all other SAML configurations. |
ca | Certificate Authority (CA) alternative to caData to use when validating the signature of the SAML response. Must be manually mounted in a local accessible by dex. |
caData | CA alternative to ca , which you can use to place the certificate data directly into the config file. |
ssoURL | URL to provide to users to sign into MKE 4 with SAML. Provided by the IdP. |
redirectURI | Callback URL for dex to which users are returned to following successful IdP authentication. |
insecureSkipSignatureValidation | Optional. Use to skip the signature validation. For testing purposes only. |
usernameAttr | Username attribute in the returned assertions, to map to ID token claims. |
emailAttr | Email attribute in the returned assertions, to map to ID token claims. |
groupsAttr | Optional. Groups attribute in the returned assertions, to map to ID token claims. |
entityIssuer | Optional. Include as the Issuer value during authentication requests. |
ssoIssuer | Optional. Issuer value that is expected in the SAML response. |
groupsDelim | Optional. If groups are assumed to be represented as a single attribute, this delimiter splits the attribute value into multiple groups. |
nameIDPolicyFormat | Requested name ID format. |
An example configuration for SAML:
authentication:
enabled: true
saml:
enabled: true
ssoURL: https://dev64105006.okta.com/app/dev64105006_mke4saml_1/epkdtszgindywD6mF5s7/sso/saml
redirectURI: http://{MKE host}:5556/callback
usernameAttr: name
emailAttr: email
Test authentication flow
ℹ️
To test authentication flow, ports
5556
(dex) and 5555
(example-app) must be externally available.- Navigate to
http://{MKE hostname}:5555/login
. - Click Login to display the login page.
- Select Log in with SAML.
- Enter your credentials and click Sign In. If authentication is successful, you will be redirected to the client applications home page.