Continuous Delivery for Puppet Enterprise (PE) supports the use of Security Assertion Markup Language (SAML) authentication from a SAML identity provider (IDP). Once you configure your SAML IDP to integrate with Continuous Delivery for PE, you can use your chosen single sign-on tool to authenticate users to Continuous Delivery for PE.
Provide the SAML team with the
Continuous Delivery for PE SAML redirect URL for your installation:
<YOUR CD4PE WEB UI ENDPOINT>/saml-auth. The
SAML team will use this to register Continuous Delivery for PE as an
application with permissions to interact with the IDP.
- The IDP-initiated SSO URL that Continuous Delivery for PE will use to direct user authentication requests.
- The IDP public signing certificate for Continuous Delivery for PE.
- The SAML attribute names that come back in the SAML assertion for the following fields: first name, last name, email address, and username. (Find more information on these attribute names in step 4 below.)
- Log into the root console by selecting Root console from the workspaces menu at the top of the Continuous Delivery for PE navigation bar or signing in as the root user.
- Click Settings, then click Single sign on.
- Select SAML.
Enter the required configuration information as per the instructions
- IDP-initiated SSO URL
- The unique URL created by the SAML IDP used by your organization that will act as a single sign-on (SSO) gateway for Continuous Delivery for PE. Your enterprise SAML team must provide this URL.
- Public signing certificate
The SAML IDP public signing certificate is used to verify SAML assertions from the IDP. Your enterprise SAML team must provide this certificate. Copy the entirety of the certificate, including the header and footer, into this field.
- Attribute mapping
Four attributes are sent to Continuous Delivery for PE in the SAML assertion. These attributes map attribute keys from your SAML IDP assertion to user accounts created by Continuous Delivery for PE.
- First name: The SAML attribute key for the user's first name.
- Last name: The SAML attribute key for the user's last name.
- Email: The SAML attribute key for the user's email address. This is the unique identifier of a user, so each user's email address must be unique.
- Username: The SAML attribute key for the user's username in Continuous Delivery for PE. Each username must be unique.
- Click Run Configuration Test to send a sample authentication query to your SAML IDP.
When the configuration test is successful and you're ready to enable SAML
authentication for your Continuous Delivery for PE instance, enable the
SAML configuration option and click Save
CAUTION: If the SAML IDP or the SAML information saved in Continuous Delivery for PE is misconfigured, you might be locked out of Continuous Delivery for PE. If this happens, navigate to
<YOUR CD4PE WEB UI ENDPOINT>/root/login, sign in as the root user, disable the SAML configuration option, and click Save Configuration.