Skip to main content
Version: 95.3
Enterprise

Overview

Kpow can integrate with your SAML Identity Provider (IdP) of choice.

We have integration guides for common providers:

Generic configuration

Assuming your instance of Kpow is available at https://kpow.corp.com:

  • AUTH_PROVIDER_TYPE=saml
  • SAML_RELYING_PARTY_IDENTIFIER= the Audience URI (SP Entity ID), i.e. the name of your Kpow instance in your IdP, e.g. Kpow-UAT-1
  • SAML_ACS_URL= the Single sign-on URL, available at /saml on your Kpow instance, e.g., https://kpow.corp.com/saml
  • SAML_METADATA_FILE= the path to the IdP metadata file, e.g. /var/saml/saml-idp-metadata.xml
  • SAML_CERT= the path to the SAML certificate file, e.g. /var/saml/saml-cert.pem
    • Note: This is optional, as it is most commonly bundled inside the IdP metadata XML
  • SAML_SESSION_S=3600 the duration in seconds before re-authenticating SAML credentials (default 1hr)

SAML and path-proxied Kpow

tip

Set AUTH_LANDING_URI when running Kpow at a proxied path.

Often our users configure Kpow behind a reverse proxy at a specific path, e.g.

https://tools.your-corp/kafka/kpow

When Kpow is proxied to a specific host/path we need to set the AUTH_LANDING_URI to that same path so the post-login redirect process can work properly, e.g.

AUTH_LANDING_URI=https://tools.your-corp/kafka/kpow

Custom role field configuration

Kpow offers Role Based Access Control for user authorization.

Roles are defined by the Roles attribute in the SAML assertion response from your IdP. To use a field other than the Roles attribute, add the following to your RBAC configuration file.

saml:
  role_field: "Groups"

Now, Kpow will look to the Groups attribute for its basis of roles.

Debugging SAML

Start Kpow with the environment variable DEBUG_AUTH=true to debug SAML configurations.

This will log the SAMLResponse payload from your IdP. You can use a tool like samltool.com to inspect and verify your IdP is correctly forwarding your configured claims/attributes.

Kpow provides a /me endpoint that returns a JSON payload with the state of the currently authenticated user, e.g.:

{
  "provider": "saml",
  "email": "user@corp.com",
  "name": "User",
  "roles": [ "admin" ]
}