Set up SAML proxy¶
Available since MKE 3.7.0
You can enhance the security and flexibility of MKE by implementing a SAML proxy. With such a proxy, you can lock down your MKE deployment and still benefit from the use of SAML authentication. The proxy, which sits between MKE and Identity Providers (IdPs), forwards metadata requests between these two entities, using designated ports during the configuration process.
To set up a SAML proxy in MKE:
Use the MKE web UI to add a proxy service.
Log in to the MKE web UI as an administrator.
In the left-side navigation panel, navigate to Kubernetes > Pods and click the Create button to call the Create Kubernetes Object pane.
In the Namespace dropdown, select default.
In the Object YAML editor, paste the following Deployment object YAML:
apiVersion: apps/v1 kind: Deployment metadata: name: saml-proxy-deployment spec: selector: matchLabels: app: saml-proxy replicas: 1 template: metadata: labels: app: saml-proxy spec: containers: - name: saml-proxy image: <proxy image>:<version> ports: - containerPort: <port-used-within-container>
Click Create to add the container.
In the left-side navigation panel, navigate to Kubernetes > Services and click the Create button to call the Create Kubernetes Object pane.
In the Namespace dropdown, select default.
In the Object YAML editor, paste the following Deployment object YAML:
apiVersion: v1 kind: Service metadata: name: saml-proxy labels: app: saml-proxy spec: type: NodePort ports: - port: <port-used-within-container> nodePort: <port-to-externally-access-proxy> selector: app: saml-proxy
Click Create to add the container.
Log in to the MKE web UI as an administrator.
In the left-side navigation panel, navigate to Swarm > Services and click the Create button to call the Create Service pane.
Configure the new service with your desired target proxy image. Note that any http/https proxy will suffice.
In the left-side navigation panel, navigate to Network.
Indicate the Target Port and Published Port and click Confirm.
The Target Port is the port the proxy uses within the container, and the Published Port is the port that is externally accessible.
Note
The proxy you deploy determines the target and published ports.
Click Create to add the container.
In the left-side navigation panel, navigate to Shared Resources > Containers.
Click the kebab menu for the <proxy-container-name>, at the far right, and select View logs.
Test proxy use by making a request to the IdP and then checking the log for verification. For example, run the following command:
curl <your IdP metadata URL> -x https://<MKE deployment IP>:<published-port>
Note
Be aware that the log entry can take up to five minutes to register.
Configure the SAML proxy.
Log in to the MKE web UI as an administrator.
In the left-side navigation panel, navigate to <user-name> > Admin Settings > Authentication & Authorization to display the Authentication & Authorization pane.
Toggle the SAML control to enable SAML and expand the SAML settings.
Enable the SAML Proxy setting to reveal the Proxy URL, Proxy Username, and Proxy Password fields.
Insert the pertinent field information and click Save.
Note
If upgrading from a previous version of MKE, you will need to add the
[auth.samlProxy]section to the MKE configuration file.Edit the
[auth.samlProxy]section of the MKE configuration file as follows:[auth.samlProxy] proxyURL = "http://<MKE deployment IP>:<published-port>" enabled = true [auth.samlProxy.credentials] [auth.samlProxy.credentials.basic] user = "<user-name>" password = "<password>"
Note
If you provide empty strings for
usernameorpassword, these will be considered valid credentials and will be used for the proxy.To configure the proxy for use without authentication, remove the
usernameandpasswordfields.For security purposes, a GET operation will not return the
userandpasswordcredential values.
Refer to Use an MKE configuration file for information on how to update the MKE configuration file.
Use a private browser window to Configure SAML.
Note
Be aware that the log entry can take up to five minutes to register.