{"__v":9,"_id":"5734fa4f2c83b20e00c235b8","category":{"project":"55c6bec1b9aa4e0d0016c2c3","version":"55c6bec1b9aa4e0d0016c2c6","_id":"56f97e9a4c612020008f2eaf","__v":0,"sync":{"url":"","isSync":false},"reference":false,"createdAt":"2016-03-28T18:57:30.798Z","from_sync":false,"order":3,"slug":"migrations","title":"Migrations"},"parentDoc":null,"project":"55c6bec1b9aa4e0d0016c2c3","user":"56f2913a2344ff0e006c0119","version":{"__v":8,"_id":"55c6bec1b9aa4e0d0016c2c6","project":"55c6bec1b9aa4e0d0016c2c3","createdAt":"2015-08-09T02:45:21.683Z","releaseDate":"2015-08-09T02:45:21.683Z","categories":["55c6bec2b9aa4e0d0016c2c7","56c14bc5826df10d00e82230","56cceed8723ad71d00cae46c","56ccf29a431ada1f00e85aae","56ccf3c28fa8b01b00b82018","56ce1e6ee538330b0021ac5d","56f97e9a4c612020008f2eaf","5734fafd146eb82000597261"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.0.0","version":"1.0"},"updates":[],"next":{"pages":[],"description":""},"createdAt":"2016-05-12T21:49:03.973Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":3,"body":"As of release 2.54.0, Gate has changed the way the SAML authentication mechanism is configured. This guide will help previous installations move to the new configuration with minimal downtime.\n\n## YAML Configuration Changes \nAn example of a previous configuration:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"saml:\\n  enabled: true\\n  requireAuthentication: false\\n  url: https://my.saml.provider.com/idp/SSO.saml2\\n  keyStore: /path/to/my/keystore.jks\\n  keyStorePassword: hunter2\\n  keyStoreAliasName: server\\n  issuerId: spinnaker.prod\\n  userAttributeMapping:\\n    roles: googleGroups\\n  certificate: \\\"\\\\\\nBLAHBLAH\\nBLAHBLAH\\\"\",\n      \"language\": \"yaml\"\n    }\n  ]\n}\n[/block]\nChanges required:\n* `requireAuthentication` is no longer supported. Authentication is always required when SAML is configured.\n* `url` and `certificate` have merged into `metadataUrl`, which is the URL endpoint of the Identity Provider's metadata.xml file. If your provider does not expose this metadata file publicly, you can download the file and use the prefix `file:` to point to this local copy.  \n* `keyStore` must now be prefixed with `file:` if the file is not on the classpath. \n* `redirectHostname` is used to construct the redirect endpoint sent to the IdP. It should be the hostname of your Gate instance.\n\nAn example of a newly migrated configuration:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"saml:\\n  enabled: true\\n  metadataUrl: https://my.saml.provider.com/sso/saml/metadata\\n  keyStore: file:/path/to/my/keystore.jks\\n  keyStorePassword: hunter2\\n  keyStoreAliasName: server\\n  issuerId: spinnaker.prod\\n  redirectHostname: spinnaker.mydomain.com:8084 # can use localhost:8084 for local development\\n  userAttributeMapping:\\n    roles: googleGroups\",\n      \"language\": \"yaml\"\n    }\n  ]\n}\n[/block]\n## Identity Provider (IdP) Changes\nPreviously, SAML Identity Providers needed to be have their destination URL set to `/auth/signIn`. Now, they must use `/saml/SSO`\n\n## Deck Changes\nDeck has a few small changes as well to get the UI login flow going too. In your `settings.js` file:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"window.spinnakerSettings = {\\n  gateUrl: ... // change to HTTPS as necessary\\n  authEnabled: true,\\n  authEndpoint: gateUrl + '/auth/user',\\n  // ... the rest\\n}\",\n      \"language\": \"javascript\"\n    }\n  ]\n}\n[/block]","excerpt":"","slug":"gate-saml-config","type":"basic","title":"Gate: SAML Authentication"}

Gate: SAML Authentication


As of release 2.54.0, Gate has changed the way the SAML authentication mechanism is configured. This guide will help previous installations move to the new configuration with minimal downtime. ## YAML Configuration Changes An example of a previous configuration: [block:code] { "codes": [ { "code": "saml:\n enabled: true\n requireAuthentication: false\n url: https://my.saml.provider.com/idp/SSO.saml2\n keyStore: /path/to/my/keystore.jks\n keyStorePassword: hunter2\n keyStoreAliasName: server\n issuerId: spinnaker.prod\n userAttributeMapping:\n roles: googleGroups\n certificate: \"\\\nBLAHBLAH\nBLAHBLAH\"", "language": "yaml" } ] } [/block] Changes required: * `requireAuthentication` is no longer supported. Authentication is always required when SAML is configured. * `url` and `certificate` have merged into `metadataUrl`, which is the URL endpoint of the Identity Provider's metadata.xml file. If your provider does not expose this metadata file publicly, you can download the file and use the prefix `file:` to point to this local copy. * `keyStore` must now be prefixed with `file:` if the file is not on the classpath. * `redirectHostname` is used to construct the redirect endpoint sent to the IdP. It should be the hostname of your Gate instance. An example of a newly migrated configuration: [block:code] { "codes": [ { "code": "saml:\n enabled: true\n metadataUrl: https://my.saml.provider.com/sso/saml/metadata\n keyStore: file:/path/to/my/keystore.jks\n keyStorePassword: hunter2\n keyStoreAliasName: server\n issuerId: spinnaker.prod\n redirectHostname: spinnaker.mydomain.com:8084 # can use localhost:8084 for local development\n userAttributeMapping:\n roles: googleGroups", "language": "yaml" } ] } [/block] ## Identity Provider (IdP) Changes Previously, SAML Identity Providers needed to be have their destination URL set to `/auth/signIn`. Now, they must use `/saml/SSO` ## Deck Changes Deck has a few small changes as well to get the UI login flow going too. In your `settings.js` file: [block:code] { "codes": [ { "code": "window.spinnakerSettings = {\n gateUrl: ... // change to HTTPS as necessary\n authEnabled: true,\n authEndpoint: gateUrl + '/auth/user',\n // ... the rest\n}", "language": "javascript" } ] } [/block]