Continuous Delivery for Puppet Enterprise (PE) supports the use of Security Assertion
Markup Language (SAML) authentication from a SAML identity provider (IDP). Once you
configure your SAML IDP to integrate with Continuous Delivery for PE, you can use
your chosen single sign-on tool to authenticate users to Continuous Delivery for PE.
Before you begin
Your enterprise SAML team must configure your organization's SAML IDP to communicate
with Continuous Delivery for PE. Provide the SAML team with the Continuous Delivery for PE SAML redirect URL for your installation: <YOUR CD4PE WEB UI ENDPOINT>/saml-auth
. The SAML team
uses this to register Continuous Delivery for PE as an application with
permissions to interact with the IDP.Get this information from your enterprise SAML team:
- The IDP-initiated SSO URL that Continuous Delivery for PE needs to
direct user authentication requests.
- The IDP public signing certificate for Continuous Delivery for PE.
- The SAML attribute names that come back in the SAML assertion for these
fields: first name, last name, email address, and username. (Attribute
mapping is explained in step 4, below.)
A super user or the root user must perform this task.
-
Log into the root console by signing in as the root user or by selecting
Root console from the workspaces menu at the top of
the Continuous Delivery for PE navigation bar.
-
Click Settings and click the Single sign
on tab if you are not already on it.
-
Select SAML.
-
Enter the required configuration information as per the instructions
below.
- IdP Initiated SSO URL
- The unique URL created by the SAML IDP used by your organization
that acts as a single sign-on (SSO) gateway for Continuous Delivery for PE. Your enterprise SAML team
provides this URL.
- Public Signing Certificate
- The SAML IDP public signing certificate verifies SAML assertions
from the IDP. Your enterprise SAML team provides this certificate.
Paste the entirety of the certificate, including the header and
footer, into this field.
Note: This field is for a SAML certificate
only. To use a custom certificate for
Continuous Delivery for PE overall, refer to
Use custom TLS certificates.
- Attribute Mapping
- The SAML assertion sends four attributes to Continuous Delivery for PE. The Attribute
Mapping matches attribute keys from the SAML IDP
assertion to user accounts created by Continuous Delivery for PE.
-
First Name: The SAML attribute key
for the user's first name.
-
Last Name: The SAML attribute key for
the user's last name.
-
Email: The SAML attribute key for the
user's email address. This is the unique user identifier, so
each user's email address must be unique.
-
Username: The SAML attribute key for
the user's username in Continuous Delivery for PE.
Each username must be unique.
-
Click Run Configuration Test to send a sample
authentication query to your SAML IDP.
-
If the configuration test is successful, you're ready to enable SAML
authentication for your Continuous Delivery for PE instance, enable the
SAML configuration switch and click Save
Configuration.
CAUTION: If the SAML IDP or the SAML information saved in Continuous Delivery for PE is misconfigured, you might be locked out
of Continuous Delivery for PE. If this happens, navigate to <YOUR CD4PE WEB UI ENDPOINT>/root/login
, sign
in as the root user, disable the SAML configuration switch, and click
Save Configuration.