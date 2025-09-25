Version: 18.x

This page explains how access to a SAML IdP service provider resource (SAML application) can be managed in Teleport.

If you are new to the Teleport SAML IdP, start by learning how to configure Teleport as an SAML IdP.

User access to the SAML IdP service provider resource can be categorized into two different use cases:

Managing a SAML IdP service provider resource. For example, when a Teleport administrator attempts to create or update a SAML IdP service provider resource.

In both the cases, access can be configured by using a Teleport role with an allow/deny rule targeting the saml_idp_service_provider resource and label matchers matching role app_labels with the saml_idp_service_provider resource labels.

The Teleport SAML IdP applies different RBAC logic to the service provider resource in role version 8 versus role version 7 and below.

In role version 7 and below, the following access controls are applied to the saml_idp_service_provider resource access:

Role option that enables the IdP: spec.options.idp.saml.enabled: true/false .

. Cluster auth preference that enables the IdP: spec.idp.saml.enabled: true/false .

. Resource rule spec.allow/deny.rules.resources.saml_idp_service_provider . Applicable only to admin actions. Allow rules with read,list verbs are applied implicitly. Deny rules with read,list verbs gets precedence over implicit allow.

. Applicable only to admin actions. Per session MFA: spec.options.require_session_mfa: true/false .

Teleport role version 8 (released with Teleport version 18.0) introduced the following RBAC changes:

Label matchers based on app_labels .

. Resource rule with verbs targeting saml_idp_service_provider is now applicable to both resource access and admin actions.

is now applicable to both resource access and admin actions. Device Trust for SAML IdP session.

The role option spec.options.idp.saml.enabled: true/false is no longer supported starting role version 8.

Per session MFA is supported in all role versions.

Users can be assigned with both the newer role (version 8) and the older versioned roles (version 7 and below) at the same time. If a user is assigned with both role version 7 and 8, deny rules of the version 8 takes precedence.

For example,

If role version 7 denies access, access is denied.

If role version 7 allows access but role version 8 denies access, access is denied.

If role version 7 allows access but role version 8 does not explicitly allow access (via matching app labels), access is denied.

If role version 7 allows access and role version 8 also allows access, access is allowed.

The table below shows a few more examples of applicable RBAC, when two roles with version 7 and 8 each are assigned to the user.

Role v7 Role v8 Result options:

idp:

saml:

enabled: false allow:

app_labels:

* : * ❌ no access. options:

idp:

saml:

enabled: true deny:

app_labels:

* : * ❌ no access options:

idp:

saml:

enabled: true allow:

app_labels:

* : *

deny:

rules:

resources:

- saml_idp_service_provider

verbs:

- read

- list ❌ no access options:

idp:

saml:

enabled: true allow:

app_labels:

* : * ✅ full access No version 7 role assigned to the user allow:

app_labels:

* : * ✅ full access options:

idp:

saml:

enabled: true allow:

app_labels:

env : dev ✅ access to SAML app matching env:dev resource label options:

idp:

saml:

enabled: true No version 8 role assigned to the user ✅ full access

Admin Actions saml_idp_service_provider resource does not yet support MFA and Device Trust for admin actions.

Examples of Teleport role that grants permissions to either access or manage the SAML IdP service provider resource.

In this case, the role needs to target saml_idp_service_provider resource with either create,update,read,list,delete or all of them as needed.

The role should also grants access to the app_labels that matches with the resource label configured for the saml_idp_service_provider resource.

saml_idp_service_provider resource access verb

kind: role version: v8 metadata: name: saml-resource-manager spec: allow: app_labels: 'env': 'dev' rules: - resources: - saml_idp_service_provider verbs: - read - list - create - update - delete

In this case, at minimum, user needs read,list access to the saml_idp_service_provider resource and must have an app_labels value matching with the resource label defined for the saml_idp_service_provider resource.

Resource labels matching role app_labels .

kind: role version: v8 metadata: name: saml-access spec: allow: app_labels: 'env': 'dev' rules: - resources: - saml_idp_service_provider verbs: - read - list options: device_trust_mode: required require_session_mfa: true

To disable access to the identity provider at the cluster level, create or update the cluster_auth_preference object with the following setting:

kind: cluster_auth_preference metadata: name: cluster-auth-preference spec: ... idp: saml: enabled: false ... version: v2

This will disable access to the SAML identity provider for all users regardless of their role level permissions.