SAML: Set up SAML authentication - Plugin

Set up SAML authenticationv3.1+

Configure the plugin to enable SAML authentication using an anonymous Consumer.

For a full how-to guide, see Enable SAML authentication for Kong Gateway using Microsoft Entra.

Prerequisites

A SAML application
An anonymous Consumer

Environment variables

IDENTIFIER: Your SAML application identifier.
LOGIN_URL: Your SAML login URL.
CERTIFICATE: The contents of your SAML provider certificate (Base64).

Set up the plugin

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: saml
    config:
      anonymous: anonymous
      issuer: ${{ env "DECK_IDENTIFIER" }}
      idp_sso_url: ${{ env "DECK_LOGIN_URL" }}
      assertion_consumer_path: "/consume"
      validate_assertion_signature: false
      session_secret: uwcLGoTJCWnHWZdVpbLYKlztNOyoGJ07
      idp_certificate: ${{ env "DECK_CERTIFICATE" }}

Make the following request:

curl -i -X POST http://localhost:8001/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "saml",
      "config": {
        "anonymous": "anonymous",
        "issuer": "'$IDENTIFIER'",
        "idp_sso_url": "'$LOGIN_URL'",
        "assertion_consumer_path": "/consume",
        "validate_assertion_signature": false,
        "session_secret": "uwcLGoTJCWnHWZdVpbLYKlztNOyoGJ07",
        "idp_certificate": "'$CERTIFICATE'"
      }
    }
    '

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "saml",
      "config": {
        "anonymous": "anonymous",
        "issuer": "'$IDENTIFIER'",
        "idp_sso_url": "'$LOGIN_URL'",
        "assertion_consumer_path": "/consume",
        "validate_assertion_signature": false,
        "session_secret": "uwcLGoTJCWnHWZdVpbLYKlztNOyoGJ07",
        "idp_certificate": "'$CERTIFICATE'"
      }
    }
    '

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: saml
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
  labels:
    global: 'true'
config:
  anonymous: anonymous
  issuer: '$IDENTIFIER'
  idp_sso_url: '$LOGIN_URL'
  assertion_consumer_path: '/consume'
  validate_assertion_signature: false
  session_secret: uwcLGoTJCWnHWZdVpbLYKlztNOyoGJ07
  idp_certificate: '$CERTIFICATE'
plugin: saml
" | kubectl apply -f -

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_saml" "my_saml" {
  enabled = true

  config = {
    anonymous = "anonymous"
    issuer = var.identifier
    idp_sso_url = var.login_url
    assertion_consumer_path = "/consume"
    validate_assertion_signature = false
    session_secret = "uwcLGoTJCWnHWZdVpbLYKlztNOyoGJ07"
    idp_certificate = var.certificate
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "certificate" {
  type = string
}

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: saml
    service: serviceName|Id
    config:
      anonymous: anonymous
      issuer: ${{ env "DECK_IDENTIFIER" }}
      idp_sso_url: ${{ env "DECK_LOGIN_URL" }}
      assertion_consumer_path: "/consume"
      validate_assertion_signature: false
      session_secret: uwcLGoTJCWnHWZdVpbLYKlztNOyoGJ07
      idp_certificate: ${{ env "DECK_CERTIFICATE" }}

Make sure to replace the following placeholders with your own values:

serviceName|Id: The id or name of the service the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "saml",
      "config": {
        "anonymous": "anonymous",
        "issuer": "'$IDENTIFIER'",
        "idp_sso_url": "'$LOGIN_URL'",
        "assertion_consumer_path": "/consume",
        "validate_assertion_signature": false,
        "session_secret": "uwcLGoTJCWnHWZdVpbLYKlztNOyoGJ07",
        "idp_certificate": "'$CERTIFICATE'"
      }
    }
    '

Make sure to replace the following placeholders with your own values:

serviceName|Id: The id or name of the service the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "saml",
      "config": {
        "anonymous": "anonymous",
        "issuer": "'$IDENTIFIER'",
        "idp_sso_url": "'$LOGIN_URL'",
        "assertion_consumer_path": "/consume",
        "validate_assertion_signature": false,
        "session_secret": "uwcLGoTJCWnHWZdVpbLYKlztNOyoGJ07",
        "idp_certificate": "'$CERTIFICATE'"
      }
    }
    '

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
serviceId: The id of the service the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: saml
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  anonymous: anonymous
  issuer: '$IDENTIFIER'
  idp_sso_url: '$LOGIN_URL'
  assertion_consumer_path: '/consume'
  validate_assertion_signature: false
  session_secret: uwcLGoTJCWnHWZdVpbLYKlztNOyoGJ07
  idp_certificate: '$CERTIFICATE'
plugin: saml
" | kubectl apply -f -

Next, apply the KongPlugin resource by annotating the service resource:

kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=saml

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_saml" "my_saml" {
  enabled = true

  config = {
    anonymous = "anonymous"
    issuer = var.identifier
    idp_sso_url = var.login_url
    assertion_consumer_path = "/consume"
    validate_assertion_signature = false
    session_secret = "uwcLGoTJCWnHWZdVpbLYKlztNOyoGJ07"
    idp_certificate = var.certificate
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  service = {
    id = konnect_gateway_service.my_service.id
  }
}

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "certificate" {
  type = string
}

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: saml
    route: routeName|Id
    config:
      anonymous: anonymous
      issuer: ${{ env "DECK_IDENTIFIER" }}
      idp_sso_url: ${{ env "DECK_LOGIN_URL" }}
      assertion_consumer_path: "/consume"
      validate_assertion_signature: false
      session_secret: uwcLGoTJCWnHWZdVpbLYKlztNOyoGJ07
      idp_certificate: ${{ env "DECK_CERTIFICATE" }}

Make sure to replace the following placeholders with your own values:

routeName|Id: The id or name of the route the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "saml",
      "config": {
        "anonymous": "anonymous",
        "issuer": "'$IDENTIFIER'",
        "idp_sso_url": "'$LOGIN_URL'",
        "assertion_consumer_path": "/consume",
        "validate_assertion_signature": false,
        "session_secret": "uwcLGoTJCWnHWZdVpbLYKlztNOyoGJ07",
        "idp_certificate": "'$CERTIFICATE'"
      }
    }
    '

Make sure to replace the following placeholders with your own values:

routeName|Id: The id or name of the route the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "saml",
      "config": {
        "anonymous": "anonymous",
        "issuer": "'$IDENTIFIER'",
        "idp_sso_url": "'$LOGIN_URL'",
        "assertion_consumer_path": "/consume",
        "validate_assertion_signature": false,
        "session_secret": "uwcLGoTJCWnHWZdVpbLYKlztNOyoGJ07",
        "idp_certificate": "'$CERTIFICATE'"
      }
    }
    '

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
routeId: The id of the route the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: saml
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  anonymous: anonymous
  issuer: '$IDENTIFIER'
  idp_sso_url: '$LOGIN_URL'
  assertion_consumer_path: '/consume'
  validate_assertion_signature: false
  session_secret: uwcLGoTJCWnHWZdVpbLYKlztNOyoGJ07
  idp_certificate: '$CERTIFICATE'
plugin: saml
" | kubectl apply -f -

Next, apply the KongPlugin resource by annotating the httproute or ingress resource:

kubectl annotate -n kong httproute  konghq.com/plugins=saml

kubectl annotate -n kong ingress  konghq.com/plugins=saml

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_saml" "my_saml" {
  enabled = true

  config = {
    anonymous = "anonymous"
    issuer = var.identifier
    idp_sso_url = var.login_url
    assertion_consumer_path = "/consume"
    validate_assertion_signature = false
    session_secret = "uwcLGoTJCWnHWZdVpbLYKlztNOyoGJ07"
    idp_certificate = var.certificate
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  route = {
    id = konnect_gateway_route.my_route.id
  }
}

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "certificate" {
  type = string
}

SAML

Set up SAML authenticationv3.1+

Prerequisites

Environment variables

Set up the plugin

Help us make these docs great!

Still need help