Skip to main content
Version: 95.3
TeamEnterprise

Overview

Flex can integrate with your SAML Identity Provider (IdP) of choice.

We have integration guides for common providers:

Generic configuration

Assuming your instance of Flex is available at https://flex.corp.com:

  • AUTH_PROVIDER_TYPE=saml
  • SAML_RELYING_PARTY_IDENTIFIER= the Audience URI (SP Entity ID), i.e. the name of your Flex instance in your IdP, e.g. Flex-UAT-1
  • SAML_ACS_URL= the Single sign-on URL, available at /saml on your Flex instance, e.g., https://flex.corp.com/saml
  • SAML_METADATA_FILE= the path to the IdP metadata file, e.g. /var/saml/saml-idp-metadata.xml
  • SAML_CERT= the path to the SAML certificate file, e.g. /var/saml/saml-cert.pem
    • Note: This is optional, as it is most commonly bundled inside the IdP metadata XML
  • SAML_SESSION_S=3600 the duration in seconds before re-authenticating SAML credentials (default 1hr)

SAML and path-proxied Flex

tip

Set AUTH_LANDING_URI when running Flex at a proxied path.

Often our users configure Flex behind a reverse proxy at a specific path, e.g.

https://tools.your-corp/flink/flex

When Flex is proxied to a specific host/path we need to set the AUTH_LANDING_URI to that same path so the post-login redirect process can work properly, e.g.

AUTH_LANDING_URI=https://tools.your-corp/flink/flex

Custom role field configuration

Flex offers Role Based Access Control for user authorization.

Roles are defined by the Roles attribute in the SAML assertion response from your IdP. To use a field other than the Roles attribute, add the following to your RBAC configuration file.

saml:
  role_field: "Groups"

Now, Kpow will look to the Groups attribute for its basis of roles.

Debugging SAML

Start Kpow with the environment variable DEBUG_AUTH=true to debug SAML configurations.

This will log the SAMLResponse payload from your IdP. You can use a tool like samltool.com to inspect and verify your IdP is correctly forwarding your configured claims/attributes.

Kpow provides a /me endpoint that returns a JSON payload with the state of the currently authenticated user, e.g.:

{
  "provider": "saml",
  "email": "user@corp.com",
  "name": "User",
  "roles": [ "admin" ]
}