SAML
Refresh Tokens
The SAML 2.0 connector in Loft does not support refresh tokens "since the SAML 2.0 protocol doesn't provide a way to requery a provider without interaction" (see dex documentation for SAML 2.0).
- **Create Loft Config For SAML v2.0**
Loft is able to use SAML v2.0 flow to identify the end user.
To tell Loft to use SAML for SSO, navigate to
Admin > Config
in Loft and adjust your config as shown below:auth:
# Tell loft to use saml authentication
saml:
#
#
# REQUIRED CONFIGURATION
#
#
# SSO URL used for POST value.
ssoURL: https://saml.example.com/sso
# CA to use when validating the signature of the SAML response.
ca: /path/to/ca.pem
# CA's can also be provided inline as a base64'd blob.
#
# caData: ( RAW base64'd PEM encoded CA )
# Callback URL in the form of https://your-loft-domain/auth/saml/callback
redirectURI: https://loft.my.domain/auth/saml/callback
# Name of attributes in the returned assertions to map to ID token claims.
usernameAttr: name
emailAttr: email
groupsAttr: groups # optional
#
#
# OPTIONAL CONFIGURATION
#
#
# (Optional) List of groups to filter access based on membership
allowedGroups: ["Admins"]
# (Optional) To skip signature validation, uncomment the following field. This should
# only be used during testing and may be removed in the future
insecureSkipSignatureValidation: true
# (Optional) Manually specify loft's Issuer value.
# When provided loft will include this as the Issuer value during AuthnRequest.
# It will also override the redirectURI as the required audience when evaluating
# AudienceRestriction elements in the response.
entityIssuer: https://loft.my.domain/auth/saml/callback
# (Optional) Issuer value expected in the SAML response.
ssoIssuer: https://saml.example.com/sso
# (Optional) Delimiter for splitting groups returned as a single string.
#
# By default, multiple groups are assumed to be represented as multiple
# attributes with the same name.
#
# If "groupsDelim" is provided groups are assumed to be represented as a
# single attribute and the delimiter is used to split the attribute's value
# into multiple groups.
groupsDelim: ", "
# (Optional) Requested format of the NameID.
#
# The NameID value is is mapped to the user ID of the user. This can be an
# abbreviated form of the full URI with just the last component. For example,
# if this value is set to "emailAddress" the format will resolve to:
#
# urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
#
# If no value is specified, this value defaults to:
#
# urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
#
nameIDPolicyFormat: persistent Authenticate via SAML
After saving the new Loft configuration, Loft will restart itself and you should be able to log in via SAML.
Disable Username + Password Authentication (optional)
To disable password-based authentication, navigate to
Admin > Config
add these two lines to your config:auth:
oidc: ... # This is your SSO configuration (make sure this is working!)
password:
disabled: true # Disable password-based authentication