SAML Configuration Examples

Configuration Examples

Enable on a service

Enable on a route

Enable globally

The following examples provide some typical configurations for enabling the saml plugin on a service.

Admin API

Kubernetes

Declarative (YAML)

Make the following request:

curl -X POST http://localhost:8001/services/SERVICE_NAME|SERVICE_ID/plugins \
    --data "name=saml"  \
    --data "config.anonymous=anonymous"  \
    --data "config.assertion_consumer_path=/acs-uri"  \
    --data "config.idp_sso_url=http://example.org/sso-uri"  \
    --data "config.validate_assertion_signature=true"  \
    --data "config.session_secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"  \
    --data "config.issuer=AzureAD_Identity_ID"  \
    --data "config.idp_certificate=-----BEGIN CERTIFICATE-----
<certificate contents>
-----END CERTIFICATE-----
"

Replace SERVICE_NAME|SERVICE_ID with the id or name of the service that this plugin configuration will target.

First, create a KongPlugin resource:

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: saml-example
plugin: saml
config:
  anonymous: anonymous
  assertion_consumer_path: "/acs-uri"
  idp_sso_url: http://example.org/sso-uri
  validate_assertion_signature: true
  session_secret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  issuer: AzureAD_Identity_ID
  idp_certificate: |
    -----BEGIN CERTIFICATE-----
    <certificate contents>
    -----END CERTIFICATE-----
" | kubectl apply -f -

Next, apply the KongPlugin resource to an ingress by annotating the service as follows:

kubectl annotate service SERVICE_NAME konghq.com/plugins=saml-example

Replace SERVICE_NAME with the name of the service that this plugin configuration will target. You can see your available ingresses by running kubectl get service.

Note: The KongPlugin resource only needs to be defined once and can be applied to any service, consumer, or route in the namespace. If you want the plugin to be available cluster-wide, create the resource as a KongClusterPlugin instead of KongPlugin.

Add this section to your declarative configuration file:

plugins:
- name: saml
  service: SERVICE_NAME|SERVICE_ID
  config:
    anonymous: anonymous
    assertion_consumer_path: "/acs-uri"
    idp_sso_url: http://example.org/sso-uri
    validate_assertion_signature: true
    session_secret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    issuer: AzureAD_Identity_ID
    idp_certificate: |
      -----BEGIN CERTIFICATE-----
      <certificate contents>
      -----END CERTIFICATE-----

Replace SERVICE_NAME|SERVICE_ID with the id or name of the service that this plugin configuration will target.

The following examples provide some typical configurations for enabling the saml plugin on a route.

Admin API

Kubernetes

Declarative (YAML)

Make the following request:

curl -X POST http://localhost:8001/routes/ROUTE_NAME|ROUTE_ID/plugins \
    --data "name=saml"  \
    --data "config.anonymous=anonymous"  \
    --data "config.assertion_consumer_path=/acs-uri"  \
    --data "config.idp_sso_url=http://example.org/sso-uri"  \
    --data "config.validate_assertion_signature=true"  \
    --data "config.session_secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"  \
    --data "config.issuer=AzureAD_Identity_ID"  \
    --data "config.idp_certificate=-----BEGIN CERTIFICATE-----
<certificate contents>
-----END CERTIFICATE-----
"

Replace ROUTE_NAME|ROUTE_ID with the id or name of the route that this plugin configuration will target.

First, create a KongPlugin resource:

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: saml-example
plugin: saml
config:
  anonymous: anonymous
  assertion_consumer_path: "/acs-uri"
  idp_sso_url: http://example.org/sso-uri
  validate_assertion_signature: true
  session_secret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  issuer: AzureAD_Identity_ID
  idp_certificate: |
    -----BEGIN CERTIFICATE-----
    <certificate contents>
    -----END CERTIFICATE-----
" | kubectl apply -f -

Next, apply the KongPlugin resource to an ingress by annotating the ingress as follows:

kubectl annotate ingress INGRESS_NAME konghq.com/plugins=saml-example

Replace INGRESS_NAME with the name of the ingress that this plugin configuration will target. You can see your available ingresses by running kubectl get ingress.

Note: The KongPlugin resource only needs to be defined once and can be applied to any service, consumer, or route in the namespace. If you want the plugin to be available cluster-wide, create the resource as a KongClusterPlugin instead of KongPlugin.

Add this section to your declarative configuration file:

plugins:
- name: saml
  route: ROUTE_NAME|ROUTE_ID
  config:
    anonymous: anonymous
    assertion_consumer_path: "/acs-uri"
    idp_sso_url: http://example.org/sso-uri
    validate_assertion_signature: true
    session_secret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    issuer: AzureAD_Identity_ID
    idp_certificate: |
      -----BEGIN CERTIFICATE-----
      <certificate contents>
      -----END CERTIFICATE-----

Replace ROUTE_NAME|ROUTE_ID with the id or name of the route that this plugin configuration will target.

A plugin which is not associated to any service, route, or consumer is considered global, and will be run on every request. Read the Plugin Reference and the Plugin Precedence sections for more information.

The following examples provide some typical configurations for enabling the SAML plugin globally.

Admin API

Kubernetes

Declarative (YAML)

Make the following request:

curl -X POST http://localhost:8001/plugins/ \
    --data "name=saml"  \
    --data "config.anonymous=anonymous"  \
    --data "config.assertion_consumer_path=/acs-uri"  \
    --data "config.idp_sso_url=http://example.org/sso-uri"  \
    --data "config.validate_assertion_signature=true"  \
    --data "config.session_secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"  \
    --data "config.issuer=AzureAD_Identity_ID"  \
    --data "config.idp_certificate=-----BEGIN CERTIFICATE-----
<certificate contents>
-----END CERTIFICATE-----
"

Create a KongClusterPlugin resource and label it as global:

apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: <global-saml>
  annotations:
    kubernetes.io/ingress.class: kong
  labels:
    global: "true"
config:
  anonymous: anonymous
  assertion_consumer_path: "/acs-uri"
  idp_sso_url: http://example.org/sso-uri
  validate_assertion_signature: true
  session_secret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  issuer: AzureAD_Identity_ID
  idp_certificate: |
    -----BEGIN CERTIFICATE-----
    <certificate contents>
    -----END CERTIFICATE-----
plugin: saml

Add a plugins entry in the declarative configuration file:

plugins:
- name: saml
  config:
    anonymous: anonymous
    assertion_consumer_path: "/acs-uri"
    idp_sso_url: http://example.org/sso-uri
    validate_assertion_signature: true
    session_secret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    issuer: AzureAD_Identity_ID
    idp_certificate: |
      -----BEGIN CERTIFICATE-----
      <certificate contents>
      -----END CERTIFICATE-----

Previous SAML Configuration

Next SAML Changelog