Configuring SAML

To enable SAML integration, additional steps are required. First, configure the Identity Provider with the following information. Visit Arize SSO & RBAC Configuration for more details.

IDP Parameter
Example

SSO URL / ACS (Assertion Consumer Service)

https://arize-app.<my-organization>.com/auth/v2/saml

Audience URI / EntityID

https://arize-app.<my-organization>.com

UserName / NameID Format

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Once the IDP provider is configured, add or update the baseOverlay section in values.yaml with the IDP example below and modify the content according to the environment.

  • The emailDomain is from the email addresses that will be used to login. For example joe@example.com.

  • The accountID, accountOrganizationID, and spaceID fields should always be set to 1 for on-prem deployments.

  • The sync option enables the synchronization of RBAC roles with the IDP provider each time a user logs in.

  • The role_mappings section is optional and should be customized based on the desired RBAC roles.

  • The metadata comes from the IDP provider. There are 2 ways to supply the metadata:

    • Using the metadataURL if a URL is available and reachable from the cluster.

    • By supplying the full XML metadata using a block scalar, as such: metadata: |.

values.yaml:

baseOverlay: |-
  ---
  apiVersion: v1
  data:
    idps.yaml: |
      # Custom IDP Information
      - name: MyIDP
        emailDomain: "example.com"
        authInfo:
          accountID: 1
          accountOrganizationID: 1
          spaceID: 1
          sync: true
        role_mappings:
          - attributes:
              "group": "my-admins"
            is_account_admin: true
          - attributes:
              "group": "my-users"
            org_role:
              org_id: 1
              role_id: 2
            space_roles:
              1: 3
        metadataURL: "your-metadata-url"
  kind: ConfigMap
  metadata:
    name: idps
    namespace: arize
  ---

Alternatively, the user can embed the XML as follows:

        metadata: |
          <md:EntityDescriptor....
          ...
          </md:EntityDescriptor>

Last updated

Was this helpful?