Configuring SAML
Configure SAML to work with Dex authentication to enable end users to log in to the Console using SAML server credentials. This example uses Okta for SAML configuration.
Creating a SAML application
Log in to Okta, and create a new app integration.
Select SAML 2.0.
Assign an app name and other General Settings and select Next.
Enter the Dex callback URL in both the Single sign-on URL (ACS URL) and Audience URI fields. The format is
https://<hybrid_manager_URL>/auth/callback.Map the Attribute Statements for username and email, for example:
Name Name format Value name Unspecified “user.firstName+” “+user.lastName” email Unspecified user. email After the application is created, assign the users or groups you want to have access to the Hybrid Manager to the created app integration. You can do this on the Assignments tab.
Configuring Dex to connect to Okta via SAML connector
Add an entry for the Okta SAML configuration where you specify the Okta and Dex endpoints for communication. Add the entry either in your values.yaml file or HybridControlPlane custom resource, depending on the installation method you use.
portal:
authentication:
clientSecret: "edb-postgres-ai-secret"
idpConnectors:
- type: saml
name: Okta
id: okta
config:
ssoURL: <https://saml.example.com/sso>
redirectURI: <https://<hybrid_manager_URL>/auth/callback>
usernameAttr: name
emailAttr: email
groupsAttr: groups
caData: <dNekV4TURSYUZ3MHpOREV3T01Rc3dDUVlEVlFRR1CRU=>
staticPasswords:
- [...]Parameters
This section covers the essential identity provider settings within the portal.authentication configuration. It focuses only on the parameters you must customize for your environment. Any other parameters not detailed here can be configured as shown in the provided example.
| Parameter | Description |
|---|---|
clientSecret | Client secret for the Hybrid Manager authentication, use the default edb-postgres-ai-secret. |
idpConnectors | Enter an array of data per IdP connector you want to use for authentication. Refer to the official Dex SAML documentation for more guidance. |
idpConnectors.config.ssoURL | The Single Sign-On URL is the endpoint where Dex will send authentication requests. You can obtain it from your Okta Sign On configuration. |
idpConnectors.config.redirectURI | ACS URL of Hybrid Manager, which is the endpoint where the Okta SAML instance will send replies to. Same as the Dex callback URL you provided when creating the SAML application. |
idpConnectors.config.usernameAttr | Tells Dex which attribute of the reply contains the user’s username. Value must match the attribute names you specified when creating the SAML application. |
idpConnectors.config.email | Tells Dex which attribute of the reply contains the user’s email. Value must match the attribute names you specified when creating the SAML application. |
idpConnectors.config.groupsAttr | Tells Dex which attribute of the reply contains information about to which groups a user’s belongs. |
idpConnectors.config.caData | Certificate from your Okta application’s SAML configuration. It allows the Hybrid Manager to authenticate replies from the SAML server. You can obtain it from your Okta Sign On configuration, SAML setup options. |
Applying Dex configuration
After changing the authentication settings, you'll need to reconcile the Dex configuration and restart the Dex services for your changes to take effect. See Applying Dex for instructions.
Assigning new owner and disable native user
After assigning a new organization owner in the Hybrid Manager Console, disable the native user. For this, refer to Disabling a native user.
← Prev
Configuring LDAP
↑ Up
Configuring your own identity provider
Next →
Applying modifications to the user configuration
Could this page be better? Report a problem or suggest an addition!