SAML Connector V2 Reference
Kind: saml
Version: v2
Represents a SAML connector.
Top-level fields
Example:
kind: "string"
sub_kind: "string"
version: "string"
metadata: # [...]
spec: # [...]
| Field Name | Description | Type |
|---|---|---|
| kind | A resource kind. | string |
| metadata | Holds resource metadata. | Metadata |
| spec | An SAML connector specification. | SAML Connector Spec V2 |
| sub_kind | An optional resource sub kind, used in some resources. | string |
| version | The resource version. It must be specified. Supported values are: v2. | string |
Asymmetric Key Pair
A combination of a public certificate and private key that can be used for encryption and signing.
Example:
private_key: "string"
cert: "string"
| Field Name | Description | Type |
|---|---|---|
| cert | A PEM-encoded x509 certificate. | string |
| private_key | A PEM encoded x509 private key. | string |
Attribute Mapping
Maps a SAML attribute statement to teleport roles.
Example:
name: "string"
value: "string"
roles:
- "string"
- "string"
- "string"
| Field Name | Description | Type |
|---|---|---|
| name | An attribute statement name. | string |
| roles | A list of static teleport roles to map to. | []string |
| value | An attribute statement value to match. | string |
Entra ID Groups Provider
Configures out-of-band user groups provider. For OIDC, it works by following through the groups claim source, which is sent for "groups" claim when the user's group membership exceeds 200 max item limit. For SAML, it works by following through the "groups.link" SAML attribute, which is sent instead of the "groups" SAML attribute, when the user's group membership exceeds 150 max item limit.
Example:
disabled: true
group_type: "string"
graph_endpoint: "string"
| Field Name | Description | Type |
|---|---|---|
| disabled | Specifies that the groups provider should be disabled even when Entra ID responds with a groups claim source. User may choose to disable it if they are using integrations such as SCIM or similar groups importer as connector based role mapping may be not needed in such a scenario. | Boolean |
| graph_endpoint | A Microsoft Graph API endpoint. The groups claim source endpoint provided by Entra ID points to the now-retired Azure AD Graph endpoint ("https://graph.windows.net"). To convert it to the newer Microsoft Graph API endpoint, Teleport defaults to the Microsoft Graph global service endpoint ("https://graph.microsoft.com"). Update GraphEndpoint to point to a different Microsoft Graph national cloud deployment endpoint. | string |
| group_type | A user group type filter. Defaults to "security-groups". Value can be "security-groups", "directory-roles", "all-groups". | string |
Metadata
Resource metadata
Example:
name: "string"
description: "string"
labels:
"string": "string"
"string": "string"
"string": "string"
expires: # See description
revision: "string"
| Field Name | Description | Type |
|---|---|---|
| description | Object description | string |
| expires | A global expiry time header can be set on any resource in the system. | |
| labels | A set of labels | map[string]string |
| name | An object name | string |
| revision | An opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource. | string |
OAuth Client Credentials
Holds the credentials to use for OAuth client credentials grant.
Example:
client_id: "string"
client_secret: "string"
| Field Name | Description | Type |
|---|---|---|
| client_id | ClientID is the client ID to use for OAuth client credentials grant. | string |
| client_secret | The client secret to use for OAuth client credentials grant. | string |
SAML Connector Credentials
Holds credentials for a SAML connector to authenticate against the identity provider. Only one type of credential should be specified at a time.
Example:
oauth: # [...]
| Field Name | Description | Type |
|---|---|---|
| oauth | OAuthClientCredentials holds the credentials to use for OAuth client credentials grant. | OAuth Client Credentials |
SAML Connector MFA Settings
Contains SAML MFA settings.
Example:
enabled: true
entity_descriptor: "string"
entity_descriptor_url: "string"
force_authn: # [...]
issuer: "string"
sso: "string"
cert: "string"
| Field Name | Description | Type |
|---|---|---|
| cert | The identity provider certificate PEM. IDP signs \<Response\> responses using this certificate. | string |
| enabled | Specified whether this SAML connector supports MFA checks. Defaults to false. | Boolean |
| entity_descriptor | XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements. Usually set from EntityDescriptorUrl. | string |
| entity_descriptor_url | A URL that supplies a configuration XML. | string |
| force_authn | Specified whether re-authentication should be forced for MFA checks. UNSPECIFIED is treated as YES to always re-authentication for MFA checks. This should only be set to NO if the IdP is setup to perform MFA checks on top of active user sessions. | SAML Force Authn |
| issuer | The identity provider issuer. Usually set from EntityDescriptor. | string |
| sso | SSO is the URL of the identity provider's SSO service. Usually set from EntityDescriptor. | string |
SAML Connector Spec V2
A SAML connector specification.
Example:
issuer: "string"
sso: "string"
cert: "string"
display: "string"
acs: "string"
audience: "string"
service_provider_issuer: "string"
entity_descriptor: "string"
entity_descriptor_url: "string"
attributes_to_roles:
- # [...]
- # [...]
- # [...]
signing_key_pair: # [...]
provider: "string"
assertion_key_pair: # [...]
allow_idp_initiated: true
client_redirect_settings: # [...]
single_logout_url: "string"
mfa: # [...]
force_authn: # [...]
preferred_request_binding: "string"
user_matchers:
- "string"
- "string"
- "string"
include_subject: true
entra_id_groups_provider: # [...]
credentials: # [...]
| Field Name | Description | Type |
|---|---|---|
| acs | A URL for assertion consumer service on the service provider (Teleport's side). | string |
| allow_idp_initiated | A flag that indicates if the connector can be used for IdP-initiated logins. | Boolean |
| assertion_key_pair | A key pair used for decrypting SAML assertions. | Asymmetric Key Pair |
| attributes_to_roles | A list of mappings of attribute statements to roles. | []Attribute Mapping |
| audience | Uniquely identifies our service provider. | string |
| cert | The identity provider certificate PEM. IDP signs \<Response\> responses using this certificate. | string |
| client_redirect_settings | Defines which client redirect URLs are allowed for non-browser SSO logins other than the standard localhost ones. | SSO Client Redirect Settings |
| credentials | SAMLConnectorCredentials configures authentication for the connector to authenticate against the identity provider for performing ancillary operations, e.g. for standalone Entra SAML connectors to authenticate against MS Graph API. | SAML Connector Credentials |
| display | Controls how this connector is displayed. | string |
| entity_descriptor | XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements. | string |
| entity_descriptor_url | A URL that supplies a configuration XML. | string |
| entra_id_groups_provider | EntraIDGroupsProvider configures out-of-band user groups provider. It works by following through the "groups.link" SAML assertion attribute, which is sent instead of the "groups" attribute, when the user's group membership exceeds 150 max item limit. | Entra ID Groups Provider |
| force_authn | Specified whether re-authentication should be forced on login. UNSPECIFIED is treated as NO. | SAML Force Authn |
| include_subject | A flag that indicates whether the Subject element is included in the SAML authentication request. Defaults to false. Note: Some IdPs will reject requests that contain a Subject. | Boolean |
| issuer | The identity provider issuer. | string |
| mfa | Contains settings to enable SSO MFA checks through this auth connector. | SAML Connector MFA Settings |
| preferred_request_binding | A preferred SAML request binding method. Value must be either "http-post" or "http-redirect". In general, the SAML identity provider lists request binding methods it supports. And the SAML service provider uses one of the IdP supported request binding method that it prefers. But we never honored request binding value provided by the IdP and always used http-redirect binding as a default. Setting up PreferredRequestBinding value lets us preserve existing auth connector behavior and only use http-post binding if it is explicitly configured. | string |
| provider | The external identity provider. | string |
| service_provider_issuer | The issuer of the service provider (Teleport). | string |
| signing_key_pair | An x509 key pair used to sign AuthnRequest. | Asymmetric Key Pair |
| single_logout_url | The SAML Single log-out URL to initiate SAML SLO (single log-out). If this is not provided, SLO is disabled. | string |
| sso | The URL of the identity provider's SSO service. | string |
| user_matchers | A set of glob patterns to narrow down which username(s) this auth connector should match for identifier-first login. | []string |
SAML Force Authn
Specified whether existing SAML sessions should be accepted or re-authentication should be forced.
SSO Client Redirect Settings
Contains settings to define which additional client redirect URLs should be allowed for non-browser SSO logins.
Example:
allowed_https_hostnames:
- "string"
- "string"
- "string"
insecure_allowed_cidr_ranges:
- "string"
- "string"
- "string"
| Field Name | Description | Type |
|---|---|---|
| allowed_https_hostnames | A list of hostnames allowed for https client redirect URLs | []string |
| insecure_allowed_cidr_ranges | A list of CIDRs allowed for HTTP or HTTPS client redirect URLs | []string |
Was this page helpful?