Using Teleport as a SAML identity provider

Report an issue with this page

This guide details an example on how to use Teleport as a SAML identity provider (IdP). You can set up the Teleport SAML IdP to enable Teleport users to authenticate to external services through Teleport.

How it works

On Teleport Enterprise deployments, the Teleport SAML IdP runs as part of the Teleport Proxy Service and exposes paths of the Proxy Service HTTP API that implement a SAML IdP. You can register a third-party application with the IdP by creating a Teleport dynamic resource, the SAML IdP service provider, that includes information about the application.

Prerequisites

• A running Teleport Enterprise cluster. If you do not have one, read Getting Started.

• The tctl and tsh clients.

  Installing tctl and tsh clients

  1. Determine the version of your Teleport cluster. The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/find and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service:

     TELEPORT_DOMAIN=teleport.example.com:443
     TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')"

  2. Follow the instructions for your platform to install tctl and tsh clients:

     Mac

     Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients:

     curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg

     In Finder double-click the pkg file to begin installation.

     danger

     Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security.

     Windows - Powershell

     curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zip
     Unzip the archive and move the `tctl` and `tsh` clients to your %PATH%
     NOTE: Do not place the `tctl` and `tsh` clients in the System32 directory, as this can cause issues when using WinSCP.
     Use %SystemRoot% (C:\Windows) or %USERPROFILE% (C:\Users\<username>) instead.

     Linux

     All of the Teleport binaries in Linux installations include the tctl and tsh clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page.

     curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz
     tar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz
     cd teleport
     sudo ./install
     Teleport binaries have been copied to /usr/local/bin

• To check that you can connect to your Teleport cluster, sign in with tsh login, then verify that you can run tctl commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and [email protected] to your Teleport username:

  tsh login --proxy=teleport.example.com --user=[email protected]
  tctl status
  Cluster  teleport.example.com
  Version  19.0.0-dev
  CA pin   sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678

  If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.
• If you're new to SAML, consider reviewing our SAML Identity Provider Reference before proceeding.
• SAML application (also known as a SAML service provider or SP) for testing. For this guide, we'll be using RSA Simple Test Service Provider - a free service that lets us test the Teleport SAML IdP. The test service has a protected page, which can be accessed only after a user is federated to the site with a valid SAML assertion flow. Below in this guide, we will refer to this application as the "IAMShowcase" app.

Step 1/4. Create a role

As a first step, we will create a role which will grant permissions to manage a saml_idp_service_provider resource for the IAMShowcase app. The role will also grant permission to log in to this application by authenticating with Teleport. We will name this role as saml-admin.

In the Teleport Web UI, from the side the navigation menu, select Zero Trust Access > Roles menu. From the Roles UI, click Create New Role button.

Enter "saml-admin" as a role name and then click the Next: Resources button to move to the "Resources" tab.

In the Resources tab, open the dropdown menu by clicking on the + Add Teleport Resource Access button, then select Application Access. Enter "env" as the label key and "saml-test" as the label value. In the Step 3 of this guide below, we will create a SAML service provider resource with this matching label value env: saml-test, limiting scope of the permissions granted by this role.

Click Next: Admin Rules button to move to the Admin Rules tab.

In the Admin Rules tab, click + Add New button. In the Teleport Resources input box, search and select the saml_idp_service_provider resource. And then in the Permissions section, check read, list, create, update, delete permissions.

Click Next: Options button to move to next step and then click Create Role button to create a new role.

Reference YAML spec for the saml-admin role.

kind: role
metadata:
  name: saml-admin
spec:
  allow:
    app_labels:
      env: saml-test
    rules:
    - resources:
      - saml_idp_service_provider
      verbs:
      - read
      - list
      - create
      - update
      - delete
version: v8

Assign the saml-admin role to your Teleport user by running the appropriate commands for your authentication provider:

Local User

1. Retrieve your local user's roles as a comma-separated list:

   ROLES=$(tsh status -f json | jq -r '.active.roles | join(",")')

2. Edit your local user to add the new role:

   tctl users update $(tsh status -f json | jq -r '.active.username') \  --set-roles "${ROLES?},saml-admin"

3. Sign out of the Teleport cluster and sign in again to assume the new role.

GitHub

1. Open your github authentication connector in a text editor:

   tctl edit github/github

2. Edit the github connector, adding saml-admin to the teams_to_roles section.

   The team you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the team must include your user account and should be the smallest team possible within your organization.

   Here is an example:

     teams_to_roles:
       - organization: octocats
         team: admins
         roles:
           - access
   +       - saml-admin
   

3. Apply your changes by saving closing the file in your editor.

4. Sign out of the Teleport cluster and sign in again to assume the new role.

SAML

1. Retrieve your saml configuration resource:

   tctl get --with-secrets saml/mysaml > saml.yaml

   Note that the --with-secrets flag adds the value of spec.signing_key_pair.private_key to the saml.yaml file. Because this key contains a sensitive value, you should remove the saml.yaml file immediately after updating the resource.

2. Edit saml.yaml, adding saml-admin to the attributes_to_roles section.

   The attribute you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization.

   Here is an example:

     attributes_to_roles:
       - name: "groups"
         value: "my-group"
         roles:
           - access
   +       - saml-admin
   

3. Apply your changes:

   tctl create -f saml.yaml

4. Sign out of the Teleport cluster and sign in again to assume the new role.

OIDC

1. Retrieve your oidc configuration resource:

   tctl get oidc/myoidc --with-secrets > oidc.yaml

   Note that the --with-secrets flag adds the value of spec.signing_key_pair.private_key to the oidc.yaml file. Because this key contains a sensitive value, you should remove the oidc.yaml file immediately after updating the resource.

2. Edit oidc.yaml, adding saml-admin to the claims_to_roles section.

   The claim you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization.

   Here is an example:

     claims_to_roles:
       - name: "groups"
         value: "my-group"
         roles:
           - access
   +       - saml-admin
   

3. Apply your changes:

   tctl create -f oidc.yaml

4. Sign out of the Teleport cluster and sign in again to assume the new role.

Step 2/4. Configure the service provider

This step involves configuring the SAML service provider with the Teleport SAML IdP metadata.

You can obtain the Teleport SAML IdP metadata values from the SAML application setup wizard, which is available in the Teleport Web UI.

In the Teleport Web UI, select Add New > Resource menu, and search for "saml application". Choose the "SAML Application (Generic)" tile.

As a first step of the SAML Application setup wizard, the Teleport Web UI displays the Teleport SAML IdP metadata values.

The process of SAML service provider configuration varies from service provider to service provider. Some service provider may ask to provide Teleport SAML IdP's entity ID, SSO URL and X.509 certificate explicitly. Other's may ask to upload the Teleport SAML IdP metadata (SAML entity descriptor) file .

In the case of IAMShowcase app, which this guide is based on, it is designed to grant access protected page for any well formatted IdP federated SAML assertion data.

As such, we will move to the next step in the setup wizard to add the IAMShowcase app to Teleport.

Step 3/4. Add a service provider to Teleport

To add a service provider to Teleport, you must configure a service provider metadata. This can be configured by either providing an entity ID and ACS URL values of the service provider or by providing an entity descriptor value (also known as metadata file, which is an XML file) of the service provider.

Below we'll show both of the configuration options.

Option 1: Configure with entity ID and ACS URL

With this configuration method, Teleport first tries to fetch an entity descriptor by querying the entity ID endpoint. If an entity descriptor is not found at that endpoint, Teleport will generate a new entity descriptor with the given entity ID and ACS URL values.

To configure the IAMShowcase app, the values you need to provide are the following:

• App Name: IAMShowcase.
• SP Entity ID / Audience URI: IAMShowcase. The SAML metadata value or an endpoint of the service provider.
• ACS URL / SP SSO URL: https://sptest.iamshowcase.com/acs. The endpoint where users will be redirected after SAML authentication. ACS URL is also referred to as SAML SSO URL.
• Label: env: saml-test. Label will be used in RBAC.

Click Finish button. The "IAMShowcase" app is now added to Teleport.

Option 2: Configure with Entity Descriptor file

With this option, you provide the service provider entity descriptor file, which has all the details required to configure service provider metadata.

If the service provider provides an option to download its entity descriptor file or you need more control over the entity descriptor, this is the recommended option to add a service provider to Teleport.

To configure the IAMShowcase app, the values you need to provide are the following:

• App Name: IAMShowcase.
• Entity Descriptor: Entity descriptor for the IAMShowcase app which is available in this URL: https://sptest.iamshowcase.com/testsp_metadata.xml.
• Label: env: saml-test.

Click Finish button. The "IAMShowcase" app is now added to Teleport.

important

If an entity descriptor is provided, its content takes preference over values provided for entity ID and ACS URL.

Step 4/4. Verify access to the protected page

To verify everything works, navigate to the Resources page in the Teleport Web UI and search for the "IAMShowcase" app.

From the "IAMShowcase" app tile, click the Log in button, which will forward you to the IAMShowcase app's protected page with a SAML assertion data signed by the Teleport SAML IdP.

This page shows Teleport user details along with other attributes such as role names that are federated by the Teleport SAML IdP, confirming a successful SAML service provider configuration in Teleport.

Manage SAML IdP service provider resource using tctl

Examples of managing a saml_idp_service_provider resource using tctl.

Create a saml_idp_service_provider resource

First, create a Teleport resource spec file with the following saml_idp_service_provider resource spec:

cat > iamshowcase.yaml << EOF
kind: saml_idp_service_provider
metadata:
  labels:
    env: saml-test
  # The resource name of the service provider.
  name: IAMShowcase
spec:
  acs_url: https://sptest.iamshowcase.com/acs
  entity_id: IAMShowcase
version: v1
EOF

Next, create a Teleport resource using the tctl create command:

tctl create iamshowcase.yaml
SAML IdP service provider 'IAMShowcase' has been created.

Update a saml_idp_service_provider resource

To update the resource, first, get the latest copy of the resource spec from the Teleport cluster.

tctl get saml_idp_service_provider/IAMShowcase > iamshowcase.yaml

Then modify the spec by updating the iamshowcase.yaml, save it, and then update the Teleport resource by using the tctl create -f command:

tctl create -f iamshowcase.yaml

List saml_idp_service_provider resources

To list a specific service provider:

tctl get saml_idp_service_provider/IAMShowcase

To list all the service providers:

tctl get saml_idp_service_provider

Delete a saml_idp_service_provider resource

tctl rm saml_idp_service_provider/IAMShowcase

Next steps

• Learn how to control access to the SAML IdP service provider resource.
• Configure SAML Attribute Mapping.