SAML

Suggest Edits

🚧

Azure SAML

The Azure limit for groups per user is set by default to 150. Users with more groups cannot use SAML with Azure.

Create a SAML Authentication Method from the CLI

Let's create a new SAML authentication method using the Akeyless CLI. You can also do this from the Akeyless Console.

To create a SAML authentication method from the CLI, run the following command:

akeyless create-auth-method-saml \
--name saml-am \
--idp-metadata-url your-idp-metadata-url \
--unique-identifier email

Where:

  • name: A unique name for the authentication method. The name can include the path to the virtual folder where you want to create the new authentication method, using slash / separators. If the folder does not exist, it will be created together with the authentication method.

  • idp-metadata-url: The Identity Provider URL (for more information check the Okta example).

  • unique-identifier: A unique identifier is usually one of the following keys email, username, or UPN. Whenever a user logs in with a token, SAML Identity Providers issue sub-claims containing details that uniquely identify the user. A sub-claim includes a key holding the unique identifier value you configured and is used to distinguish between different users from within the same organization.

🚧

Note:

Unique Identifier should be a key name, i.e. not the value itself. for example, email should be provided as is, and not the actual email address.

Parameters

You can find the complete list of parameters for this command in the CLI Reference - Authentication section.

Create a SAML authentication method from the Console

  1. Log in to the Akeyless Console and go to Auth Methods > New > SAML.

  2. Define a Name for the authentication method, and specify the Location as a path to the virtual folder where you want to create the new authentication method, using slash / separators. If the folder does not exist, it will be created together with the authentication method.

  3. Define the remaining parameters as follows:

  • Allowed Client IPs: Enter a comma-separated list of CIDR blocks from which the client can issue calls to the proxy. By "client," we mean CURL, SDK, etc. This parameter is optional. Leave it empty for unrestricted access.

  • Allowed Trusted Gateway IPs: Enter a comma-separated list of CIDR blocks. When specified, the Gateway with the IP from this range will be trusted to forward original client IPs (so that they will be visible in the logs). If empty, the Gateway's IP will be used in the logs.

  • IDP Metadata URL: Enter your Identity Provider metadata URL. When using an internal domain, please provide your IDP Metadata XML.

  • unique-identifier: A unique identifier is usually one of the following keys email, username, or UPN. Whenever a user logs in with a token, SAML Identity Providers issue sub-claims containing details that uniquely identify the user. A sub-claim includes a key holding the unique identifier value you configured and is used to distinguish between different users from within the same organization.

🚧

Note

Unique Identifier should be a key name, i.e. not the value itself. for example, email should be provided as is, and not the actual email address.

  • Allowed Redirect URIs: Enter a comma-separated list of Redirect URIs to be validated as part of the authentication flow. If you leave this field empty, it can be insecure. Malicious users could steal access credentials using open redirects.

  • Expiration Date: Select the access expiration date. This parameter is optional. Leave it empty for access to continue without an expiration date.

  1. Click Save.

👍

What's next?

Make sure to associate your new Authentication Method with an Access Role to grant the relevant permissions within Akeyless

Updated 2 months ago

What’s Next