Configure SAML

Continuous Delivery supports the use of Security Assertion Markup Language (SAML) authentication from a SAML identity provider (IDP). Once you configure your SAML IDP to integrate with Continuous Delivery, you can use your chosen single sign-on tool to authenticate users to Continuous Delivery.

Before you begin:
Your enterprise SAML team must configure your organization's SAML IDP to communicate with Continuous Delivery. Provide the SAML team with the Continuous Delivery SAML redirect URL for your installation: <YOUR CD4PE WEB UI ENDPOINT>/cd4pe/saml-auth. The SAML team uses this to register Continuous Delivery as an application with permissions to interact with the IDP.

Get this information from your enterprise SAML team:

  • The IDP-initiated SSO URL that Continuous Delivery needs to direct user authentication requests.
  • The IDP public signing certificate for Continuous Delivery.
  • The SAML attribute names that come back in the SAML assertion for these fields: first name, last name, email address, and username. (Attribute mapping is explained in step 4, below.)

If your IDP cannot use the saml-auth endpoint for configuration, the following may be helpful:

  • Entity ID: CD4PE
  • Signing certificate: This is generated by the IDP or the team managing the IDP. The public cert is then saved in Continuous Delivery via a settings page in the Continuous Delivery root console.
  • ACS (Assertion Consumer Service) URL: <CD4PE WEB UI ENDPOINT>/cd4pe/saml-auth
  • Logout URL: We do not support a logout URL for SAML integrations, this can only be performed through the Continuous Delivery UI. If this is an optional config option in PingID, it can be left blank.

A super user or the root user must perform this task.
  1. Log into the root console by signing in as the root user or by selecting Root console from the workspaces menu at the top of the Continuous Delivery navigation bar.
  2. Click Settings and click the Single sign on tab if you are not already on it.
  3. Select SAML.
  4. Enter the required configuration information as per the instructions below.

    IdP Initiated SSO URL

    The unique URL created by the SAML IDP used by your organization that acts as a single sign-on (SSO) gateway for Continuous Delivery. Your enterprise SAML team provides this URL.

    Public Signing Certificate

    The SAML IDP public signing certificate verifies SAML assertions from the IDP. Your enterprise SAML team provides this certificate. Paste the entirety of the certificate, including the header and footer, into this field.

    This field is for a SAML certificate only. To use a custom certificate for Continuous Delivery overall, refer to Use custom TLS certificates.

    Attribute Mapping

    The SAML assertion sends four attributes to Continuous Delivery. The Attribute Mapping matches attribute keys from the SAML IDP assertion to user accounts created by Continuous Delivery.

    • First Name: The SAML attribute key for the user's first name.
    • Last Name: The SAML attribute key for the user's last name.
    • Email: The SAML attribute key for the user's email address. This is the unique user identifier, so each user's email address must be unique.
    • Username: The SAML attribute key for the user's username in Continuous Delivery. Each username must be unique.

  5. Click Run Configuration Test to send a sample authentication query to your SAML IDP.
  6. If the configuration test is successful, you're ready to enable SAML authentication for your Continuous Delivery instance, enable the SAML configuration switch and click Save Configuration.
    If the SAML IDP or the SAML information saved in Continuous Delivery is improperly configured, you might be locked out of Continuous Delivery. If this happens, navigate to <YOUR CD4PE WEB UI ENDPOINT>/root/login, sign in as the root user, disable the SAML configuration switch, and click Save Configuration.