Configuring SAML

To enable SAML integration, additional steps are required. First, configure the Identity Provider with the following information. Visit Arize SSO & RBAC Configuration for more details.

Once the IDP provider is configured, add or update the baseOverlay section in values.yaml with the IDP example below and modify the content according to the environment.

• The emailDomain is from the email addresses that will be used to login. For example joe@example.com.

• The accountID, accountOrganizationID, and spaceID fields should always be set to 1 for on-prem deployments.

• The sync option enables the synchronization of RBAC roles with the IDP provider each time a user logs in.

• The role_mappings section is optional and should be customized based on the desired RBAC roles.

• The metadata comes from the IDP provider. There are 2 ways to supply the metadata:

  • Using the metadataURL if a URL is available and reachable from the cluster.

  • By supplying the full XML metadata using a block scalar, as such: metadata: |.

values.yaml:

baseOverlay: |-
  ---
  apiVersion: v1
  data:
    idps.yaml: |
      # Custom IDP Information
      - name: MyIDP
        emailDomain: "example.com"
        authInfo:
          accountID: 1
          accountOrganizationID: 1
          spaceID: 1
          sync: true
        role_mappings:
          - attributes:
              "group": "my-admins"
            is_account_admin: true
          - attributes:
              "group": "my-users"
            org_role:
              org_id: 1
              role_id: 2
            space_roles:
              1: 3
        metadataURL: "your-metadata-url"
  kind: ConfigMap
  metadata:
    name: idps
    namespace: arize
  ---

Alternatively, the user can embed the XML as follows:

        metadata: |
          <md:EntityDescriptor....
          ...
          </md:EntityDescriptor>