No More Backdoors: Know Who Has Access to What, Right Now
Jun 13
Register Today
Teleport logoTry For Free
Fork me on GitHub


SAML Identity Provider Reference

This page provides details on the SAML identity provider, built into Teleport since version 12.1.

What is the SAML identity provider?

The SAML identity provider allows Teleport users to authenticate and authorize to external applications, both inside and outside of Teleport, that support SAML Single Sign-On.

Basic definitions

The following definitions are paraphrased and summarized from OASIS's SAML specification documents, referenced at the bottom of this page.


A package of information that supplies zero or more statements made by an identity provider. Assertions are usually made about a subject, which in Teleport's case will be Teleport users. These can be viewed as statements of fact about a user, e.g. "user bob belongs to roles editor, access."

Service Provider

A service provider can make use of assertions about a subject in order to control access and provide customized service. They rely on the identity provider for these assertions. In Teleport's case, service providers are typically applications like Slack, Vercel, etc. that allow SAML Single Sign-On.

Identity Provider

A service that makes assertions about a subject.

Service/identity provider initiated SSO

The login process can be initiated by either the service provider or the identity provider. The processes to trigger either of these are subtly different. The service provider is responsible for initiating the SSO process for service provider initiated SSO. The identity provider is responsible for initiating the process for identity provider initiated SSO.


Metadata URL


This is the URL where the identity provider XML metadata can be retrieved from. Service providers will require information from this file to establish the trust between the service provider and identity provider.

Single Sign-On Service URL


This is the URL that service providers will use to exchange assertions with the identity provider. This URL supports the following bindings:

  • HTTP-Redirect

Identity provider initiated SSO URL


This URL triggers identity provider initiated SSO. sp-name matches the of the service provider object for a particular service provider.

Teleport SAML service provider object

Below is a service provider object. These objects must be added to Teleport in order for Teleport to trust external service providers.

kind: saml_idp_service_provider
  # The friendly name of the service provider. This is used to manage the
  # service provider as well as in identity provider initiated SSO.
  name: saml-service-provider
  # The entity_descriptor is the service provider XML.
  entity_descriptor: |
    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"...
version: v1


The assertions currently provided by Teleport's SAML identity provider are listed below.

Friendly nameFull nameDescriptionFormat
uidurn:oid:0.9.2342.19200300.100.1.1The user ID from Teleporturn:oasis:names:tc:SAML:2.0:attrname-format:uri
eduPersonAffiliationurn:oid: user's Teleport rolesurn:oasis:names:tc:SAML:2.0:attrname-format:uri

Disabling SAML identity provider access

Role level

To disable access to the SAML identity provider at the role level, assign a role to a user with the follow role option:

        enabled: false

If a user is assigned to any role that disables access to the identity provider, access will be denied even if other roles allow access.

Cluster level

To disable access to the identity provider at the cluster level, create or update the cluster_auth_preference object with the following setting:

kind: cluster_auth_preference
  name: cluster-auth-preference
      enabled: false
version: v2

This will disable access to the SAML identity provider for all users regardless of their role level permissions.


The SAML identity provider supports HSM. in 12.2.5 and later.


Bad Request when logging into an external application

If the Teleport server returns a Bad Request the service provider metadata may not have been added properly to Teleport and, as a result, Teleport is unable to find the service provider. You can verify this by looking for a log entry in Teleport's logs:

2023-03-01T10:32:34-05:00 INFO [SAMLIDP] failed to validate request: cannot find service provider could not find service provider pid:31036.1 [email protected]/identity_provider.go:232

Not Found when logging into an external application

If the Teleport server returns a Not Found, make sure that none of the roles belonging to your user have SAML IdP access explicitly disabled. In the options section of each of the user roles, look for the idp section for the saml access to be disabled. Also, ensure the user's role allows the list and read action for the saml_idp_service_provider resource.

    - resources:
      - saml_idp_service_provider
      - list
      - read
        enabled: false