Authentication via SAML
To enable Single Sign-On using the SAML protocol on Garden Cloud you will need to first create an Application (sometimes called Integration) on your SSO provider of choice and then configure Garden Cloud to use that to authenticate users.
Currently, we support two SSO providers, Azure and Okta, and we will be adding more in the future. If you have any specific requirements or requests, please don't hesitate to contact your Garden customer success representative.
- 1.To setup SAML authentication using Azure Active Directory, please visit your organization page on https://portal.azure.com/.Azure - Active Directory overview
- 2.Select Enterprise Applications and proceed to create a new application, clicking on New application from the top-middle menu. On the subsequent screen, click Create your own application in the top bar.Azure - Applications overview
- 3.Choose a valid name for your application and select Integrate any other application you don't find in the gallery (Non-gallery).Azure - Create a new Enterprise Application
- 4.Once the application is created, configure which users and groups will have access to this application by clicking the Get started link within the 1. Assign users and groups panel.Azure - New Application overview
- 5.Add the desired users and groups.Azure - Add users and groups
- 6.Once access is configured, go back to the application overview page and proceed to configure Single Sign-On by clicking the Get started link within the 2. Set up single sign on panel.Azure - New Application overview
- 7.Select SAML as single sign-on method.Azure -
- 8.Edit the Basic SAML configuration by adding a valid Identifier and Reply URL.Azure -
- 9.Download the Base64 Raw certificate (SSO certificate) and copy the Login URL (SSO Entry Point), you'll need both later.Azure -
- 1.From your Organization page, list all your applications, then select Create App Integration.Okta - List Applications
- 2.Select SAML 2.0.Okta - Create a new Application
- 3.Give your new integration a valid name.Okta - Set name for new Application
- 4.Enter a valid Single sign on URL and Audience URI (SP Entity ID) and press continue.Note: make sure the Name Id format and Application username are set respectively to EmailAddress and Email.Okta - Edit SAML settings
- 5.Once the setup is complete, you should see a new panel marked in yellow which will allow you to see your SAML configuration. Click on View Setup Instructions.Okta - Setup complete
- 6.Copy the Identity provider Single Sign-On URL (SSO Entry Point) and the X.509 Certificate (SSO certificate), you'll need both later.Okta - Configuration parameters
- 7.Finally, configure access through the integration adding users and groups to it.Okta - Configure access
If you are an On-Prem customer (meaning you usually deploy Garden Cloud via Replicated) you will need to change your configuration as follow:
- Select Enable SSO.
- Add the SSO certificate which you obtained in the previous steps (Step 9 for Azure and step 6 for Okta).
- Add SSO Entry Point which you obtained in the previous steps (Step 9 for Azure and step 6 for Okta).
- Save the configuration and re-deploy.
Replicated SSO configuration
If you are a user of a Garden Cloud managed instance, please contact our customer success representative and we'll get you set up as soon as possible. We will need the same data (SSO certificate and SSO Entry Point).
Once SSO via SAML is correctly configured you need to make sure your Garden Cloud users can successfully log in. In order to be able to log in, a user must have a valid email in Garden Cloud that matches their login email on your chosen SSO provider.
You can quickly tell if a user doesn't have a valid email associated with their account from the Team page.
User email missing
If you are using GitHub to import users make sure that all the old and newly imported users have a valid associated email next to their name on the Team page and that that email is the same one used to log in with your SSO provider.
When importing users from GitHub, Garden Cloud will automatically fetch the primary email associated with the account. A user can sometimes decide to have a different primary email than the one provided by their workplace (which is used to log in with the SSO provider) or to not give API access to their email altogether.
If that's the case, you will need to manually edit the user email field.