Configure SAML integration on identity provider¶
Identity providers require certain values to successfully integrate with MKE. As these values vary depending on the identity provider, consult your identity provider documentation for instructions on how to best provide the needed information.
Okta integration values¶
Okta integration requires the following values:
Value |
Description |
---|---|
URL for single signon (SSO) |
URL for MKE, qualified with |
Service provider audience URI |
URL for MKE, qualified with |
NameID format |
Select Unspecified. |
Application user name |
Email. For example, a custom |
Attribute Statements |
|
Group Attribute Statement |
|
Okta configuration
When two or more group names are expected to return with the assertion,
use the regex
filter. For example, use the value apple|orange
to
return groups apple
and orange
.
ADFS integration values¶
To enable ADFS integration:
Add a relying party trust.
Obtain the service provider metadata URI.
The service provider metadata URI value is the URL for MKE, qualified with
/enzi/v0/saml/metadata
. For example,https://111.111.111.111/enzi/v0/saml/metadata
.Add claim rules.
Convert values from AD to SAML
Display-name
:Common Name
E-Mail-Addresses
:E-Mail Address
SAM-Account-Name
:Name ID
Create a full name for MKE (custom rule):
c:[Type == "http://schemas.xmlsoap.org/claims/CommonName"] => issue(Type = "fullname", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
Transform account name to
Name ID
:Incoming type:
Name ID
Incoming format: Unspecified
Outgoing claim type:
Name ID
Outgoing format:
Transient ID
Pass admin value to allow admin access based on AD group. Send group membership as claim:
Users group: your admin group
Outgoing claim type:
is*admin
Outgoing claim value:
1
Configure group membership for more complex organizations, with multiple groups able to manage access.
Send LDAP attributes as claims
Attribute store:
Active Directory
Add two rows with the following information:
LDAP attribute =
email address
;outgoing claim type
:email address
LDAP attribute =
Display*Name
;outgoing claim type
:common name
Mapping:
Token-Groups - Unqualified Names :
member-of
Note
Once you enable SAML, Service Provider metadata is available at
https://<SPHost>/enzi/v0/saml/metadata
. The metadata link is also
labeled as entityID
.
Only POST
binding is supported for the Assertion Consumer Service,
which is located at https://<SP Host>/enzi/v0/saml/acs
.