SAML configuration reference
Configure these settings in Puppet Enterprise (PE) and your SAML identity provider to enable SSO or MFA. All fields are required unless otherwise noted.
| Setting name | System name (for RBAC API) | Definition |
|---|---|---|
| Allow duplicated attribute name? | allow_duplicated_attribute_name
|
Boolean value indicates whether PE
allows duplicate attribute names in the attribute statement. Default is
true. |
| Display name | display_name
|
A required string that identifies the IdP used for SSO or MFA login,
such as Corporate Okta. |
| Identity provider entity ID | idp_entity_id
|
A URL string identifying your IdP, such as https://sso.example.info/entity. Your IdP's configuration
has this information. |
| Identity provider SLO response URL | idp_slo_response_url
|
Optional, unless required by IdP or SAML configuration. An
optional URL specifying an alternative location for SLO handling.
Defaults to the SLO URL. For example, https://ipd.example.com/SAML2/SLO-response. |
| Identity provider SLO URL | idp_slo_url
|
The URL to which PE sends the single
logout request (SLO), such as https://ipd.example.com/SAML2/SLO. Your IdP configuration
has this information. |
| Identity provider SSO URL | idp_sso_url
|
The URL to which PE sends
authentication messages, such as https://idp.example.org/SAML2/SSO. Your IdP configuration
has this information. |
| IdP certificate | idp_certificate
|
The public x509 certificate of the identity provider, in PEM format.
PE uses the certificate to decrypt
messages from the IdP and validate signatures. For
example:-----BEGIN CERTIFICATE----- MIIGADCCA+igAwIBAgIBAjANBgkqhkiG9w0BAQsFADBqMW ... STkGww== -----END CERTIFICATE----- |
| Name ID encrypted? | name_id_encrypted
|
Optional, unless required by IdP or SAML configuration.
Boolean value indicates whether you want PE to encrypt the name-id in the logout request. Default is true. |
| Organizational language | organizational_lang
|
The standard abbreviation for the preferred spoken language at your
organization, such as en for
English. |
| Organization display name | organizational_display_name
|
An alternative display name for your organization |
| Organization name | organizational_name
|
The official name of your organization. |
| Organization URL | organizational_url
|
The URL for your organization. |
| Requested authentication context | requested_auth_context
|
Optional, unless required by IdP or SAML configuration.
Comma-separated list of authentication contexts indicating the type of
user authentication PE suggests to the
IdP. Authentication types are defined in the urn:oasis:names:tc:SAML:2.0:ac:classes: namespace of the
SAML specification. For example: urn:oasis:names:tc:SAML:2.0:ac:classes:Password or urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport |
| Requested authentication context comparison | requested_auth_context_comparison
|
Optional, unless required by IdP or SAML configuration.
Indicates to the IdP the strength of the authentication context PE provides. Choose one of the following:
|
| Require encrypted assertions? | want_assertions_encrypted
|
Boolean value indicates whether you want the IdP to encrypt the
assertion messages it sends to PE.
Default is true. |
| Require name ID encrypted? | want_name_id_encrypted
|
Boolean value indicates whether you want the IdP to encrypt the
name-id field in messages it sends to PE.
Default is true. |
| Require signed assertions? | want_assertions_signed
|
Boolean value indicates whether you want the IdP to cryptographically
sign assertion elements it sends to PE.
Default is true. |
| Require signed messages? | want_messages_signed
|
Boolean value indicates whether you want the IdP to cryptographically
sign all responses, logout requests, and logout response messages it
sends to PE. Default is true. |
| Signature algorithm | signature_algorithm
|
Indicates which signing algorithm PE
uses to sign messages. Choose one of the following:
|
| Sign authentication requests? | authn_request_signed
|
Optional, unless required by IdP or SAML configuration.
Boolean value indicates whether you want PE to cryptographically sign authentication request it sends to the IdP.
Default is true. |
| Sign logout requests? | logout_request_signed
|
Optional, unless required by IdP or SAML configuration.
Boolean value indicates whether you want PE to cryptographically sign logout requests it sends to the IdP.
Default is true. |
| Sign logout response? | logout_response_signed
|
Optional, unless required by IdP or SAML configuration.
Boolean value indicates whether you want PE to cryptographically sign logout responses it sends to the IdP.
Default is true. |
| Sign metadata? | sign_metadata
|
Boolean value indicates whether you want PE to cryptographically sign the metadata
provided for the IdP configuration. Default is true. |
| Support contact email address | support_email
|
The email address of the main support contact at your organization. |
| Support contact name | support_name
|
The name of the main support contact at your organization. |
| Technical contact email address | technical_support_email
|
The email address of the main technical contact at your organization. |
| Technical contact name | technical_support_name
|
The name of the main technical contact at your organization. |
| User display name attribute binding | user_display_name_attr
|
Identifies the attribute that maps to the user's displayable name,
such as First name Last name. |
| User email attribute binding | user_email_attr
|
Identifies the attribute that maps to the user's email address. |
| User group lookup attribute binding | group_lookup_attr
|
Identifies the attribute that maps to the set of user groups a user belongs to. |
| User lookup attribute binding | user_lookup_attr
|
Identifies the attribute that maps to the login value users provide on the login page. |
| Validate xml? | want_xml_validation
|
Boolean value indicates whether you want PE to validate all xml statements it
receives from your IdP, because invalid xml might cause security issues.
Default is true. |
