Overview
Styra DAS supports Security Assertion Markup Language (SAML) for Single Sign On (SSO). You can find the settings for configuring SAML, as follows:
- Under WORKSPACE on the left-hand navigation panel, click
<das-id>.styra.com
. - Click Access Control tab.
- Click Single Sign-On Providers.
- Click SAML tab.
When you click the Add SAML Provider
button to create a new SSO provider, provide the following details:
- Provider name: The name for your identity provider setting, for example: "SSOSAMLOKTA". This name is visible for the users on the login page.
- The provider name is not a random name, but depends on the DAS callback URL specified in the SAML Identity Provider configuration. The callback URL format is
https://<das-id>.styra.com/v1/saml/{unique-name}/callback
. - The provider name must be an unique name specified in the callback URL. For example, if the URL is
https://test.styra.com/v1/saml/ssosaml/callback
, the provider name must bessosaml
.
-
Private key: A private key that the Service Provider (DAS) requires to sign the SAML messages or decrypt the SAML assertions if the SAML request is initiated by DAS. Styra DAS digitally signs the request using this private key.
-
Private key certificate: The associated certificate for the above private key. When the request is received by the Identity Provider, the digital signature is verified using the public key sent by the DAS in this certificate.
To generate the private key and certificate, run the following command.
openssl req -x509 -newkey rsa:2048 -keyout private.key \
-out certificate.cert -days 3650 -nodes -subj "/CN=test.styra.com"
When the certificates expire, you must renew them in order to keep SAML signing and encryption working.
-
Identity provider metadata: SAML metadata provided by your identity provider.
-
Allowed Domains: The allowed authentication domain(s) of your users. For example,
<das-id>.styra.com
. If the identity provider supports multiple domains, only users with these domains are allowed to access the service. -
Invited users only: If enabled, the authenticated user must have a pre-existing account in
<das-id>.styra.com
. If disabled, a new user account will be created immediately for any user coming through SSO, as long as the user's domain matches any of the allowed domains, and the identity provider has the user assigned to the Styra application. -
Enabled: Whether this SSO provider is currently active.
The following field is optional:
- Email attribute: If the SAML response from the identity provider does not have the email address in the Subject tag (
<saml:Subject>
), the email address will be in the Attribute tag (<saml:Attribute>
). Make sure to specify the attribute name in this field.
For example, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
is entered in Email attribute field for the following SAML response. This entry must be checked with the identity provider.
<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">user123@domain.com</saml:AttributeValue>
</saml:Attribute>
Optional Email
Styra DAS supports using an SSO custom claim to uniquely identify a user rather than using the default email
claim as the user ID. Use the unique_claim
field in /v1/identity-providers
to specify the SSO claim to be used as the unique identifier instead of the SSO user's email. If not set, Styra DAS will continue to use the value from the email
claim to set the user ID.
When configuring a unique_claim
value, the associated value for allowed_domains
must be set to []string{"*"}
.
Styra DAS admins must be careful to set the unique_claim
to an SSO claim that is unique for every user. Otherwise, multiple SSO-authenticated users may get assigned the same User ID within Styra DAS.