Configuring SAML
To enable SAML integration, additional steps are required. First, configure the Identity Provider with the following information. Visit Arize SSO & RBAC Configuration for more details.
SSO URL / ACS (Assertion Consumer Service)
https://arize-app.<my-organization>.com/auth/v2/saml
Audience URI / EntityID
https://arize-app.<my-organization>.com
UserName / NameID Format
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Once the IDP provider is configured, add or update the baseOverlay section in values.yaml with the IDP example below and modify the content according to the environment.
The emailDomain is from the email addresses that will be used to login. For example joe@example.com.
The accountID, accountOrganizationID, and spaceID fields should always be set to 1 for on-prem deployments.
The sync option enables the synchronization of RBAC roles with the IDP provider each time a user logs in.
The role_mappings section is optional and should be customized based on the desired RBAC roles.
The metadata comes from the IDP provider. There are 2 ways to supply the metadata:
Using the
metadataURLif a URL is available and reachable from the cluster.By supplying the full XML metadata using a block scalar, as such:
metadata: |.
values.yaml:
baseOverlay: |-
---
apiVersion: v1
data:
idps.yaml: |
# Custom IDP Information
- name: MyIDP
emailDomain: "example.com"
authInfo:
accountID: 1
accountOrganizationID: 1
spaceID: 1
sync: true
role_mappings:
- attributes:
"group": "my-admins"
is_account_admin: true
- attributes:
"group": "my-users"
org_role:
org_id: 1
role_id: 2
space_roles:
1: 3
metadataURL: "your-metadata-url"
kind: ConfigMap
metadata:
name: idps
namespace: arize
---Alternatively, the user can embed the XML as follows:
metadata: |
<md:EntityDescriptor....
...
</md:EntityDescriptor>Last updated
Was this helpful?