Configure SAML

Continuous Delivery for Puppet Enterprise (PE) supports the use of Security Assertion Markup Language (SAML) authentication from a SAML identity provider (IDP). Once you configure your SAML IDP to integrate with Continuous Delivery for PE, you can use your chosen single sign-on tool to authenticate users to Continuous Delivery for PE.

Before you begin
Your enterprise SAML team must configure the SAML IDP used by your organization to communicate with Continuous Delivery for PE.

Provide the SAML team with the Continuous Delivery for PE SAML redirect URL for your installation: <YOUR CD4PE WEB UI ENDPOINT>/saml-auth. The SAML team will use this to register Continuous Delivery for PE as an application with permissions to interact with the IDP.

Request the following from your enterprise SAML team:
  • The IDP-initiated SSO URL that Continuous Delivery for PE will use to direct user authentication requests.
  • The IDP public signing certificate for Continuous Delivery for PE.
  • The SAML attribute names that come back in the SAML assertion for the following fields: first name, last name, email address, and username. (Find more information on these attribute names in step 4 below.)
A super user or the root user must perform this task.
  1. Log into the root console by selecting Root console from the workspaces menu at the top of the Continuous Delivery for PE navigation bar or signing in as the root user.
  2. Click Settings, then click Single sign on.
  3. Select SAML.
  4. Enter the required configuration information as per the instructions below.
    IDP-initiated SSO URL
    The unique URL created by the SAML IDP used by your organization that will act as a single sign-on (SSO) gateway for Continuous Delivery for PE. Your enterprise SAML team must provide this URL.
    Public signing certificate

    The SAML IDP public signing certificate is used to verify SAML assertions from the IDP. Your enterprise SAML team must provide this certificate. Copy the entirety of the certificate, including the header and footer, into this field.

    Attribute mapping

    Four attributes are sent to Continuous Delivery for PE in the SAML assertion. These attributes map attribute keys from your SAML IDP assertion to user accounts created by Continuous Delivery for PE.

    • First name: The SAML attribute key for the user's first name.
    • Last name: The SAML attribute key for the user's last name.
    • Email: The SAML attribute key for the user's email address. This is the unique identifier of a user, so each user's email address must be unique.
    • Username: The SAML attribute key for the user's username in Continuous Delivery for PE. Each username must be unique.
  5. Click Run Configuration Test to send a sample authentication query to your SAML IDP.
  6. When the configuration test is successful and you're ready to enable SAML authentication for your Continuous Delivery for PE instance, enable the SAML configuration option and click Save Configuration.
    CAUTION: If the SAML IDP or the SAML information saved in Continuous Delivery for PE is misconfigured, you might be locked out of Continuous Delivery for PE. If this happens, navigate to <YOUR CD4PE WEB UI ENDPOINT>/root/login, sign in as the root user, disable the SAML configuration option, and click Save Configuration.