SAML configuration reference

Configure these settings in Puppet Enterprise (PE) and your SAML identity provider to enable SSO or MFA. All fields are required unless otherwise noted.

To define the hostname used in the Single Sign-On (SSO) setup for your Puppet Enterprise installation, you can configure the puppet_enterprise::profile::console::saml_host parameter. This parameter can be set in the PE console to your preferred fully qualified domain name (FQDN) node group which pertains to console configuration.

Once you apply this change, ensure that Puppet runs the configuration to propagate the update.

This parameter is recommended for modifying the SSO URLs to use the desired alias hostname.

Setting name	System name (for RBAC API)	Definition
Allow duplicated attribute name?	`allow_duplicated_attribute_name`	Boolean value indicates whether PE allows duplicate attribute names in the attribute statement. Default is `true`.
Display name	`display_name`	A required string that identifies the IdP used for SSO or MFA login, such as `Corporate Okta`.
Identity provider entity ID	`idp_entity_id`	A URL string identifying your IdP, such as `https://sso.example.info/entity`. Your IdP's configuration has this information.
Identity provider SLO response URL	`idp_slo_response_url`	Optional, unless required by IdP or SAML configuration. An optional URL specifying an alternative location for SLO handling. Defaults to the SLO URL. For example, `https://ipd.example.com/SAML2/SLO-response`.
Identity provider SLO URL	`idp_slo_url`	The URL to which PE sends the single logout request (SLO), such as `https://ipd.example.com/SAML2/SLO`. Your IdP configuration has this information.
Identity provider SSO URL	`idp_sso_url`	The URL to which PE sends authentication messages, such as `https://idp.example.org/SAML2/SSO`. Your IdP configuration has this information.
IdP certificate	`idp_certificate`	The public x509 certificate of the identity provider, in PEM format. PE uses the certificate to decrypt messages from the IdP and validate signatures. For example: -----BEGIN CERTIFICATE----- MIIGADCCA+igAwIBAgIBAjANBgkqhkiG9w0BAQsFADBqMW ... STkGww== -----END CERTIFICATE-----
Name ID encrypted?	`name_id_encrypted`	Optional, unless required by IdP or SAML configuration. Boolean value indicates whether you want PE to encrypt the name-id in the logout request. Default is `true`.
Organizational language	`organizational_lang`	The standard abbreviation for the preferred spoken language at your organization, such as `en` for English.
Organization display name	`organizational_display_name`	An alternative display name for your organization
Organization name	`organizational_name`	The official name of your organization.
Organization URL	`organizational_url`	The URL for your organization.
Requested authentication context	`requested_auth_context`	Optional, unless required by IdP or SAML configuration. Comma-separated list of authentication contexts indicating the type of user authentication PE suggests to the IdP. Authentication types are defined in the `urn:oasis:names:tc:SAML:2.0:ac:classes:` namespace of the SAML specification. For example: `urn:oasis:names:tc:SAML:2.0:ac:classes:Password` or `urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport`
Requested authentication context comparison	`requested_auth_context_comparison`	Optional, unless required by IdP or SAML configuration. Indicates to the IdP the strength of the authentication context PE provides. Choose one of the following: `minimum` (default): The requested authentication context comparison must be, at minimum, the strength of the context PE provides. `maximum`: The requested authentication context comparison is, at most, equal to the context PE provides. `exact`: The requested authentication context comparison must be an exact match with one of the contexts PE provides. `better`: The requested authentication context comparison must be higher than the context PE provides.
Require encrypted assertions?	`want_assertions_encrypted`	Boolean value indicates whether you want the IdP to encrypt the assertion messages it sends to PE. Default is `true`.
Require name ID encrypted?	`want_name_id_encrypted`	Boolean value indicates whether you want the IdP to encrypt the name-id field in messages it sends to PE. Default is `true`.
Require signed assertions?	`want_assertions_signed`	Boolean value indicates whether you want the IdP to cryptographically sign assertion elements it sends to PE. Default is `true`.
Require signed messages?	`want_messages_signed`	Boolean value indicates whether you want the IdP to cryptographically sign all responses, logout requests, and logout response messages it sends to PE. Default is `true`.
Signature algorithm	`signature_algorithm`	Indicates which signing algorithm PE uses to sign messages. Choose one of the following: `rsa-sha256` (default) `rsa-sha1` `dsa-sha1` `rsa-sha384` `rsa-sha512`
Sign authentication requests?	`authn_request_signed`	Optional, unless required by IdP or SAML configuration. Boolean value indicates whether you want PE to cryptographically sign authentication request it sends to the IdP. Default is `true`.
Sign logout requests?	`logout_request_signed`	Optional, unless required by IdP or SAML configuration. Boolean value indicates whether you want PE to cryptographically sign logout requests it sends to the IdP. Default is `true`.
Sign logout response?	`logout_response_signed`	Optional, unless required by IdP or SAML configuration. Boolean value indicates whether you want PE to cryptographically sign logout responses it sends to the IdP. Default is `true`.
Sign metadata?	`sign_metadata`	Boolean value indicates whether you want PE to cryptographically sign the metadata provided for the IdP configuration. Default is `true`.
Support contact email address	`support_email`	The email address of the main support contact at your organization.
Support contact name	`support_name`	The name of the main support contact at your organization.
Technical contact email address	`technical_support_email`	The email address of the main technical contact at your organization.
Technical contact name	`technical_support_name`	The name of the main technical contact at your organization.
User display name attribute binding	`user_display_name_attr`	Identifies the attribute that maps to the user's displayable name, such as `First name Last name`.
User email attribute binding	`user_email_attr`	Identifies the attribute that maps to the user's email address.
User group lookup attribute binding	`group_lookup_attr`	Identifies the attribute that maps to the set of user groups a user belongs to.
User lookup attribute binding	`user_lookup_attr`	Identifies the attribute that maps to the login value users provide on the login page.
Validate xml?	`want_xml_validation`	Boolean value indicates whether you want PE to validate all xml statements it receives from your IdP, because invalid xml might cause security issues. Default is `true`.