Apr 19, 2023
Login with Teleport. Teleport as a SAML Identity Provider
Starting with Teleport 12.1, Teleport Enterprise teams can now use Teleport as a SAML SSO identity provider. This feature allows teams to use Teleport to authenticate to external services, thereby letting teams use SAML SSO to login to external SaaS apps and internal applications that support SAML.
Let’s look at a few examples:
SSO into Jira
SSO into Jenkins
Why we built it
Since Teleport 5, Teleport has been able to secure internal applications using Teleport Application Access and has offered JWTs to login into applications such as Grafana or Elasticsearch.
A common pattern among teams is the desire to leverage Teleport’s security capabilities for core services. In larger organizations, an IT department may be in charge of the central employee directory but an engineering team often wants to enforce stricter security requirements. For example, providing provenance of machine identity using Device Trust, requiring everyone to have a hardware token, or using just-in-time access requests.
Learn more about Teleport as a SAML Identity Provider
Want to learn more about Teleport as a SAML identity provider? Join our upcoming webinar on April 27th at 9am PT.
A refresher on SAML, IdP and SSO
While writing this post, I quickly became overwhelmed by the number of acronyms used for a simple feature, such as logging into an external app.
Here are a few primers:
What is single sign-on?
Single sign-on (SSO) is an authentication process that allows a user to access multiple applications or services with one set of login credentials. It simplifies the user experience by reducing the need to remember multiple passwords and streamlining the login process across various platforms.
What is SAML?
Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization data between parties, specifically between an identity provider and a service provider. It enables single sign-on (SSO) by allowing users to authenticate at one location and then access multiple applications or services without needing to re-enter their credentials. Read this introductory guide on SAML.
How does SAML work?
SAML works by exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP) using XML-based SAML assertions. The process enables single sign-on, allowing users to authenticate at the IdP once and then access multiple applications or services without re-entering their credentials. Learn more about how SAML Works..
What is an IdP?
An Identity Provider (IdP) is a service that authenticates users' identities and issues security tokens, such as SAML assertions. It plays a crucial role in single sign-on (SSO) by centralizing user authentication and granting access to multiple service providers based on the users' credentials.
Try Teleport as a SAML identity provider
Teleport as a SAML identity provider is currently in preview and is an Enterprise-only feature. If you would like an Enterprise license to try it out, please get in touch with our team. Below is an abridged version of our documentation on Teleport as a SAML identity provider.
Step 1: Map out the applications you want to use with SAML.
An important first step is to identify which applications you would like to use Teleport and SAML to log into and if the plan supports it. SAML SSO often requires a plugin or an extra plan to turn on. This often means it requires a paid plan for external SaaS apps. If you’re building applications in-house, there are many great open-source libraries to provide SAML SSO for your app; for example, Node SAML, Go SAML, Ruby SAML and many more.
Step 2: Configure a Teleport role with access to SAML service provider objects.
The next step is to create a role that provides access to the SAML service objects. This is required to run the commands to create an updated SAML provider.
kind: role version: v6 metadata: name: sp-manager spec: allow: rules: - resources: [saml_idp_service_provider] verbs: [list, create, read, update, delete]
The default editor role already has this access.
Step 3. Configure Application to recognize Teleport's identity provider.
The next step to configure the application for SSO is retrieving Teleport's SAML identity provider metadata. You can obtain this metadata in XML format by navigating to https://<proxy-address>/enterprise/saml-idp/metadata, which will be placed into your browser’s Downloads folder.
Step 4: Add service provider metadata to Teleport.
Next, create a saml_idp_service_provider in Teleport, using the SAML Metadata from the application. For more information, please refer to your application’s documentation. This process uses the metadata and uses tctl to create the resource in Teleport. More details about specifics are in the documentation.
Teleport requires this metadata to be in XML format which some applications do not provide. If your application does not supply the service provider metadata in XML, you may need to translate the metadata using a tool such as the service provider metadata builder found here.
Step 5: Log into the application.
The last step is to log into the application and verify that SAML SSO is working correctly. This process is a little easier if the application is also protected by Teleport Application Access since the application will show up in the UI. For external SaaS applications, you’ll need to login via their platform; for example, see the Jira example above.
Learn more about Teleport as a SAML identity provider
On April 27th, we’ll dive deeper into using Teleport as a SAML Provider, covering how companies protect access to applications using Teleport. This webinar will focus on the workflow for quickly onboarding engineers to access your infrastructure and highlight how teams can use Teleport as a SAML and IDP for apps and websites.
Stay up-to-date with the newest Teleport releases by subscribing to our monthly updates.