SAML 2.0 Authentication
Refresh Tokens
The SAML 2.0 connector in dex does not support refresh tokens "since the SAML 2.0 protocol doesn't provide a way to requery a provider without interaction" (see dex documentation for SAML 2.0).
Choose DEX_HOSTNAME And Configure DNS
Loft uses the CNCF project dex for single sign-on.
The easiest case is this one:
$LOFT_HOSTNAME = loft.mycompany.tld
(where Loft is running)$DEX_HOSTNAME = dex.mycompany.tld
(where dex should be running)- Loft and dex should run in the same Kubernetes cluster
Then, you can set a CNAME
record with value loft.mycompany.tld
in the DNS configuration for dex.mycompany.tld
.
Create Dex Config For SAML 2.0
Create the file dex-config.yaml
with the following dex configuration:
For details about configuring dex for SAML 2.0, take a look at the dex documentation for SAML 2.0.
STEP 3Deploy Dex via Helm
After creating the file dex-config.yaml
, you can now install dex via helm:
Configure Loft To Use Dex For Authentication
To tell Loft to use dex for SSO, navigate to Admin > Config
in Loft and adjust your config as shown below:
Authenticate via Dex + SAML 2.0
After saving the new Loft configuration, Loft will restart itself and you should be able to log in via SAML 2.0 and dex.
STEP 6Disable Username + Password Authentication (optional)
To disable password-based authentication, navigate to Admin > Config
add these two lines to your config: