Home / Authentication
Edit
Report

Enable SAML authentication using Microsoft Entra

Uses: Kong Gateway deck
Deployment Platform
Related Documentation
Gateway Documentation decK Documentation
Tags
#authentication
Related Resources
Authentication
Minimum Version
Kong Gateway - 3.4
TL;DR

Create your SAML application in Microsoft Entra, then create an anonymous Consumer in Kong Gateway. Enable the SAML plugin and configure it with the SAML application identifier, login URL, and certificate.

Prerequisites

Kong Konnect

This is a Konnect tutorial and requires a Konnect personal access token.

  1. Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.

  2. Export your token to an environment variable:

     export KONNECT_TOKEN='YOUR_KONNECT_PAT'

  3. Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:

     curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-output

    This sets up a Konnect Control Plane named quickstart, provisions a local Data Plane, and prints out the following environment variable exports:

     export DECK_KONNECT_TOKEN=$KONNECT_TOKEN
 export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart
 export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com
 export KONNECT_PROXY_URL='http://localhost:8000'

    Copy and paste these into your terminal to configure your session.

Kong Gateway running

This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.

  1. Export your license to an environment variable:

     export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'

  2. Run the quickstart script:

    curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATA

    Once Kong Gateway is ready, you will see the following message:

     Kong Gateway Ready

decK   v1.43+

decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial, install decK version 1.43 or later.

This guide uses deck gateway apply, which directly applies entity configuration to your Gateway instance. We recommend upgrading your decK installation to take advantage of this tool.

You can check your current decK version with deck version.

Required entities

For this tutorial, you’ll need Kong Gateway entities, like Gateway Services and Routes, pre-configured. These entities are essential for Kong Gateway to function but installing them isn’t the focus of this guide. Follow these steps to pre-configure them:

  1. Run the following command:

    echo '
_format_version: "3.0"
services:
  - name: example-service
    url: http://httpbin.konghq.com/anything
routes:
  - name: example-route
    paths:
    - "/anything"
    service:
      name: example-service
' | deck gateway apply -

To learn more about entities, you can read our entities documentation.

Microsoft Entra SAML application

This tutorial uses Microsoft Entra as a SAML identity provider.

  1. Make sure you have the appropriate permissions and follow the steps in the Microsoft docs to set up a SAML application.
  2. Enable SSO for the application.
  3. Assign at least one user to the application.
  4. From the Single sign-on page of the application, get the values of the following fields and add them to your environment:
    • Identifier (Entity ID)
    • Login URL
    • Certificate (Base64)
    export DECK_IDENTIFIER="SAML-application-identifier"
export DECK_LOGIN_URL="SAML-login-URL"
export DECK_CERTIFICATE="certificate-contents"

    export DECK_IDENTIFIER="SAML-application-identifier"
export DECK_LOGIN_URL="SAML-login-URL"
export DECK_CERTIFICATE="certificate-contents"

Do not include the BEGIN CERTIFICATE and END CERTIFICATE lines in the certificate variable. Add only the certificate contents.

Create an anonymous Consumer

In this example, we want to manage users through Microsoft Entra only, so we’ll use the anonymous Consumer:

echo '
_format_version: "3.0"
consumers:
  - username: anonymous
' | deck gateway apply -

Enable the SAML plugin

Enable the SAML plugin and provide the information to connect to your SAML application. We also need to provide a value for config.session_secret, which should be a random 32-character string.

echo '
_format_version: "3.0"
plugins:
  - name: saml
    config:
      anonymous: anonymous
      issuer: "${{ env "DECK_IDENTIFIER" }}"
      idp_sso_url: "${{ env "DECK_LOGIN_URL" }}"
      assertion_consumer_path: "/consume"
      validate_assertion_signature: false
      session_secret: uwcLGoTJCWnHWZdVpbLYKlztNOyoGJ07
      idp_certificate: "${{ env "DECK_CERTIFICATE" }}"
' | deck gateway apply -

Validate

To validate that the SAML configuration works, go to $KONNECT_PROXY_URL/anything in a browser.

To validate that the SAML configuration works, go to http://localhost:8000/anything in a browser.

When prompted, log in with a user that has access to the SAML application.

Cleanup

Clean up Konnect environment

If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.

Destroy the Kong Gateway container

 
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d

FAQs

Why is my valid certificate not being accepted?

There may be an issue with the formatting of the Certificate. Standard certificates contain a header and a footer:

-----BEGIN CERTIFICATE-----
<certificate contents>
-----END CERTIFICATE-----

When specifying a certificate in the idp_certificate field, these must be removed. The value should be the certificate contents only.

Something wrong?
Report an Issue | Edit this Page
View all Kong documentation

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help?

Ask in our Slack Community
Contact Support