SAML
Integration guides for SAML and OpenID
kPow can integrate with your SAML IdP of choice.
We have integration guides for common providers:

Generic configuration

  • AUTH_PROVIDER_TYPE=saml
  • SAML_RELYING_PARTY_IDENTIFIER= the Audience URI (SP Entity ID)
  • SAML_ACS_URL= the Single sign-on URL, e.g.
    1
    https://kpow.corp.com/saml
    Copied!
  • SAML_METADATA_FILE= the path to the IDP metadata file, e.g.
    1
    /var/saml/saml-idp-metadata.xml
    Copied!
  • SAML_CERT= the path to the SAML certificate. Note: This is optional, as it is most commonly bundled inside the IDP metdata XML
    1
    /var/saml/saml-cert.pem
    Copied!

SAML and Path-Proxied kPow

Set AUTH_LANDING_URI when running kPow at a proxied path.
Often our users configure kPow behind a reverse proxy at a specific path, e.g.
https://tools.your-corp/kafka/kpow
When kPow is proxied to a specific host/path we need to set the AUTH_LANDING_URI to that same path so the post-login redirect process can work properly, e.g.
AUTH_LANDING_URI=https://tools.your-corp/kafka/kpow

Debugging SAML

Start kPow with the environment variable DEBUG_SAML=true to debug SAML configurations.
This will log the SAMLResponse payload from your IdP. You can use a tool like samltool.com to inspect and verify your IdP is correctly forwarding your configured claims/attributes.
kPow provides an endpoint for inspecting the state of the currently authenticated user. kpow_host/me returns a JSON payload like:
1
{"provider": "saml",
2
"email": "[email protected]",
3
"name": "User",
4
"roles": ["admin"]}
Copied!

Custom Role Field

kPow offers Role Based Access Control for user authorization.
Roles are defined in a Roles attribute in the SAMLResponse from your IdP.
If you would like to use a field other than the Roles attribute, add the following to your RBAC configuration file.
1
saml:
2
role_field: "Groups"
Copied!
Now, kPow will look to the Groups attribute for its basis of roles.