SamlIdentityProvider

A SamlIdentityProvider resource registers an upstream SAML 2.0 identity provider with the Nauthera operator. Users can then sign in via SAML SSO (SP-initiated or IdP-initiated).

This feature requires an Enterprise license (Feature::SamlBridge).

#Example

#Metadata URL (Recommended)

apiVersion: auth.nauthera.io/v1alpha1
kind: SamlIdentityProvider
metadata:
  name: corporate-adfs
  namespace: my-app
spec:
  displayName: "Sign in with ADFS"
  metadataUrl: "https://adfs.corp.example.com/FederationMetadata/2007-06/FederationMetadata.xml"

When metadataUrl is set, the controller fetches the metadata to discover SSO endpoints and signing certificates automatically.

#Inline Metadata

For IdPs that don't expose a metadata endpoint:

apiVersion: auth.nauthera.io/v1alpha1
kind: SamlIdentityProvider
metadata:
  name: legacy-idp
  namespace: my-app
spec:
  displayName: "Corporate SSO"
  metadataXml: |
    <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="...">
      ...
    </EntityDescriptor>

#Full Example

apiVersion: auth.nauthera.io/v1alpha1
kind: SamlIdentityProvider
metadata:
  name: okta-saml
  namespace: my-app
spec:
  displayName: "Sign in with Okta"
  metadataUrl: "https://company.okta.com/app/xxxxx/sso/saml/metadata"
  nameIdFormat: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
  wantAssertionsSigned: true
  allowIdpInitiated: false
  attributeMappings:
    - upstreamClaim: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
      localField: email
    - upstreamClaim: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
      localField: given_name
    - upstreamClaim: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
      localField: family_name

#Spec Reference

#spec.displayName

Type: string | Optional

Human-readable name shown on the login button (e.g. "Sign in with ADFS"). Defaults to the resource name if omitted.

#spec.metadataUrl

Type: string | Optional

URL to the SAML IdP metadata document. When set, the controller fetches and parses the metadata to discover SSO endpoints and signing certificates automatically. Takes precedence over metadataXml if both are set.

#spec.metadataXml

Type: string | Optional

Inline SAML metadata XML. Used when the IdP does not expose a metadata endpoint. Mutually exclusive with metadataUrl.

#spec.idpEntityId

Type: string | Optional

The IdP's SAML entity ID. Auto-populated from metadata if not set.

#spec.ssoUrl

Type: string | Optional

SSO URL for HTTP-Redirect binding. Auto-populated from metadata if not set.

#spec.signingCertificateRef

Type: object | Optional

Reference to a Kubernetes Secret containing the IdP's X.509 signing certificate (PEM or base64-DER). When metadata is used, the certificate is extracted automatically.

#spec.nameIdFormat

Type: string | Optional

NameID format to request from the IdP. Defaults to "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress".

Common values:

#spec.attributeMappings

Type: []object | Optional

Map SAML assertion attributes to local user record fields. Uses the same mapping structure as IdentityProvider claim mappings.

Each entry has:

Supported localField values: email, name, given_name, family_name, nickname, picture, locale, phone_number.

#spec.wantAssertionsSigned

Type: bool | Default: true

Whether to require signed SAML assertions. Should only be disabled for testing.

#spec.allowIdpInitiated

Type: bool | Default: false

Whether to allow IdP-initiated SSO (unsolicited Response).

#spec.iconUrl

Type: string | Optional

URL of an icon/logo image to display on the login button.

#Status

#Related Resources

• IdentityProvider — For OIDC-based upstream federation (Business+).
• AuthPolicy — MFA and token policies apply to SAML-federated sessions as well.
• OidcClient — The application that users sign in to.