Configuring SAML
Configure SAML to work with Dex authentication to enable end users to log in to the Hybrid Manager (HM) console using SAML server credentials. This example uses Okta for SAML configuration.
Creating a SAML application
Log in to Okta and create a new app integration.
Select SAML 2.0.
Assign an app name, specify other general settings, and select Next.
Enter the Dex callback URL in both the Single sign-on URL (ACS URL) and Audience URI fields. The format is
https://<hybrid_manager_URL>/auth/callback.Map the Attribute Statements for username and email. For example:
Name Name format Value name Unspecified “user.firstName+” “+user.lastName” email Unspecified user. email After the application is created, assign the users or groups you want to have access to HM to the created app integration. You can do this on the Assignments tab.
Configuring Dex to connect to Okta via SAML connector
Add an entry for the Okta SAML configuration where you specify the Okta and Dex endpoints for communication. Add the entry either in your values.yaml file or HybridControlPlane custom resource, depending on the installation method you use.
portal:
authentication:
clientSecret: "edb-postgres-ai-secret"
idpConnectors:
- type: saml
name: Okta
id: okta
config:
ssoURL: <https://saml.example.com/sso>
redirectURI: <https://<hybrid_manager_URL>/auth/callback>
usernameAttr: name
emailAttr: email
groupsAttr: groups
caData: <dNekV4TURSYUZ3MHpOREV3T01Rc3dDUVlEVlFRR1CRU=>
staticPasswords:
- [...]Parameters
The table shows the essential identity provider settings in the portal.authentication configuration. It lists only the parameters you must customize for your environment. Any other parameters not detailed here can be configured as shown in the provided example.
| Parameter | Description |
|---|---|
clientSecret | Client secret for HM authentication. Use the default edb-postgres-ai-secret. |
idpConnectors | Enter an array of data per IdP connector you want to use for authentication. See the Dex SAML documentation for more guidance. |
idpConnectors.config.ssoURL | The single sign-on URL is the endpoint where Dex will send authentication requests. You can obtain it from your Okta Sign On configuration. |
idpConnectors.config.redirectURI | ACS URL of HM, which is the endpoint where the Okta SAML instance will send replies. Same as the Dex callback URL you provided when creating the SAML application. |
idpConnectors.config.usernameAttr | Tells Dex which attribute of the reply contains the user’s username. Value must match the attribute names you specified when creating the SAML application. |
idpConnectors.config.email | Tells Dex which attribute of the reply contains the user’s email. Value must match the attribute names you specified when creating the SAML application. |
idpConnectors.config.groupsAttr | Tells Dex which attribute of the reply contains information about the groups a user’s belongs to. |
idpConnectors.config.caData | Certificate from your Okta application’s SAML configuration. It allows HM to authenticate replies from the SAML server. You can obtain it from your Okta Sign On configuration, SAML setup options. |
Applying Dex configuration
After changing the authentication settings, you need to reconcile the Dex configuration and restart the Dex services for your changes to take effect. See Applying Dex.
Assigning new owner and disabling native user
After assigning a new organization owner in the HM console, disable the native user. See Disabling a native user.
← Prev
Configuring LDAP
↑ Up
Configuring your own identity provider
Next →
Applying modifications to the user configuration
Could this page be better? Report a problem or suggest an addition!