Configure SAML providers to authenticate to clusters

This document is for platform administrators, or whoever manages identity setup in your organization. It explains how to configure your chosen Security Assertion Markup Language (SAML) identity provider for authentication to Kubernetes clusters that aren't on Google Cloud.

Register a client application with your provider

During the authentication flow, the cluster uses the following information to verify and redirect users:

• EntityID - This is a unique identifier that represents the cluster authentication mechanism for the provider. This is derived from the URL of the API server. For example, if the APISERVER-URL is https://cluster.company.com, then the EntityID should be https://cluster.company.com:11001. Note that the URL has no trailing slashes.
• AssertionConsumerServiceURL - This is the callback URL. The response is forwarded to this URL after the provider authenticates the user. For example, if the APISERVER-URL is https://cluster.company.com, then the AssertionConsumerServiceURL should be https://cluster.company.com:11001/saml-callback.

Provider setup information

This section provides steps for registering a client application with Microsoft Entra ID. If you use a different identity provider, see the provider's documentation to set up a client application.

1. If you haven't done so already, Set up a Microsoft Entra tenant.
2. Register an application in Microsoft Entra ID.
3. In the Microsoft Entra admin center, open the App registrations page and select your application. The application overview page opens.
4. In the navigation menu, click Authentication.
5. In the Platform configurations section, select Enterprise Applications.
6. In the Set up Single Sign-On with SAML, edit the Basic SAML Configuration.
7. In the Identifier (Entity ID) section, select Add Identifier.
8. Enter the EntityID and Reply URL that you derived from Register a client application with your provider
9. Click Save to save these settings.
10. Review the Attributes & Claims section to add any new attributes.
11. In the SAML Certificates section, click Certificate (Base64) to download the identity provider certificate.
12. In the Set up app section, copy the Login URL and Azure AD identifier.

Set SAML assertion lifespan

For enhanced security, configure your SAML provider to issue assertions with a short lifespan, such as 10 minutes. This setting is configurable within your SAML provider's settings.

Setting the lifespan to less than 5 minutes might cause login issues if the clocks between the cluster and your SAML provider aren't synchronized.

Share provider details

Share the following provider information with your cluster administrator for cluster setup:

• idpEntityID - This the unique identifier for the identity provider. It corresponds to the URL of the provider and is also called Azure AD identifier.
• idpSingleSignOnURL - This is the endpoint to which the user is redirected for sign up. This is also called the Login URL.
• idpCertificateDataList- This is the public certificate used by the identity provider for SAML assertion verification.

What's next

• Configure authentication for individual clusters
• Configure authentication for your fleet