Skip to main content

Overview

Styra supports Security Assertion Markup Language (SAML) for Single Sign On (SSO). You can find the settings for configuring SAML, as follows:

  • Under WORKSPACE on the left-hand navigation panel, click styra-das-id.styra.com.
  • Click Settings tab.
  • Click Single Sign-On Providers.
  • Click SAML tab.

When you click the Add SAML Provider button to create a new SSO provider, you must provide the following details:

  • Provider name: The name for your identity provider setting, for example: "SSOSAMLOKTA". This name will be visible for the users on the login page.
note
  • The provider name is not a random name, but depends on the DAS callback URL specified in the SAML Identity Provider configuration. The callback URL format is https://styra-das-id.styra.com/v1/saml/{unique-name}/callback.
  • The provider name must be an unique name specified in the callback URL. For example, if the URL is https://test.styra.com/v1/saml/ssosaml/callback, the provider name must be ssosaml.
  • Private key: A private key that the Service Provider (DAS) requires to sign the SAML messages or decrypt the SAML assertions if the SAML request is initiated by DAS. The DAS digitally signs the request using this private key.

  • Private key certificate: The associated certificate for the above private key. When the request is received by the Identity Provider, the digital signature is verified using the public key sent by the DAS in this certificate.

tip

To generate the private key and certificate, run the following command.

openssl req -x509 -newkey rsa:2048 -keyout private.key \
-out certificate.cert -days 3650 -nodes -subj "/CN=test.styra.com"
important

When the certificates expire, you must renew them in order to keep SAML signing and encryption working.

  • Identity provider metadata: SAML metadata provided by your identity provider.

  • Allowed Domains: The allowed authentication domain(s) of your users. For example, styra-das-id.styra.com. If the identity provider supports multiple domains, only users with these domains are allowed to access the service.

  • Invited users only: If enabled, the authenticated user must have a pre-existing account in styra-das-id.styra.com. If disabled, a new user account will be created immediately for any user coming through SSO, as long as the user's domain matches any of the allowed domains, and the identity provider has the user assigned to the Styra application.

  • Enabled: Whether this SSO provider is currently active.

The following field is optional:

  • Email attribute: If the SAML response from the identity provider does not have the email address in the Subject tag (<saml:Subject>), the email address will be in the Attribute tag (<saml:Attribute>). Make sure to specify the attribute name in this field.

For example, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress is entered in Email attribute field for the following SAML response. This entry must be checked with the identity provider.

<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">user123@domain.com</saml:AttributeValue> </saml:Attribute>