See what makes Kong the fastest, most-adopted API gateway
Check out the latest Kong feature releases and updates
Single platform for SaaS end-to-end connectivity
Enterprise service mesh based on Kuma and Envoy
Collaborative API design platform
How to Scale High-Performance APIs and Microservices
Call for speakers & sponsors, Kong API Summit 2023!
5 MIN READ
Security Assertion Markup Language (SAML) is an XML-based open standard that allows organizations to set up single sign-on (SSO) across multiple websites and applications. SAML 2.0 is the latest standard, and was ratified in March 2005, replacing SAML 1.1. We’ll refer to SAML as meaning SAML 2.0 for the remainder of this document.
SAML is mostly used as a web-based authentication mechanism as it relies on using the browser to broker the authentication flow. The SAML specification defines three roles:
The Kong Enterprise SAML implementation supports the SP initiated SSO flow. This flow starts when a user tries to access a resource on the SP. If the SP detects the user doesn’t have a browser session active, it will redirect them to the IdP asking for the authentication request. The IdP will authenticate the user, and if successful, create the SAML assertion and redirect the user back to the SP.
XML messages are not exchanged directly between the IdP and SP, but via the Browser. This is described in the following sequence diagram:
SAML 2.0 is widely adopted by enterprises, for several reasons:
The Kong Enterprise SAML implementation is provided using the Kong SAML plugin, which is available in Kong Enterprise v3.1+. Kong Plugins provide advanced functionality and extend the use of Kong Enterprise. Refer to the Kong Documentation Plugin Overview for more information on Kong Plugins.
The minimum configuration for the Kong SAML plugin is detailed below:
At the time of writing this document, this plugin supports Microsoft Azure Active Directory as the SAML IdP. Please refer to the Microsoft AzureAD SAML documentation for more information about SAML authentication with Azure Active Directory.
Now let’s walk through adding SAML Authentication to a Service in Kong Enterprise using Microsoft Azure AD as the SAML IdP:
Set-up a SAML Enterprise Application in Microsoft AzureAD:
https://<your Kong Enterprise IP address here>:8443/aad/consume
Create an Anonymous Kong Consumer
This permits anonymous Kong Consumer access via SAML Authentication to the Service we will configure in the next step. The anonymous consumer is configured in the SAML plugin
curl --request PUT \ --url http://localhost:8001/consumers/anonymous
{ "created_at": 1667352450, "custom_id": null, "id": "bec9d588-073d-4491-b210-1d07099bfcde", "tags": null, "type": 0, "username": "anonymous", "username_lower": null }
curl --request PUT \ --url http://localhost:8001/services/aad-service \ --data url=https://httpbin.org/anything
{ "id": "5fa9e468-0007-4d7e-9aeb-49ca9edd6ccd", "name": "aad-service", "protocol": "https", "host": "httpbin.org", "port": 443, "path": "/anything" }
curl --request PUT \ --url http://localhost:8001/services/aad-service/routes/aad-route \ --data paths=/aad
{ "id": "ac1e86bd-4bce-4544-9b30-746667aaa74a", "name": "aad-route", "paths": [ "/aad" ] }
_Replace the <AzureAD_Identity_ID>, <AzureAD_Sign_on_URL> and <AzureADCertificate> placeholders with the values identified in the previous steps
curl --request POST \ --url http://localhost:8001/services/aad-service/plugins \ --header 'Content-Type: multipart/form-data' \ --form name=saml \ --form config.anonymous=anonymous \ --form config.issuer=<AzureAD_Identity_ID> \ --form config.idp_sso_url=<AzureAD_Sign_on_URL> \ --form config.idp_certificate=<AzureAD_Certificate> \ --form config.assertion_consumer_path=/consume \
{ "id": "a8655ba0-de99-48fc-b52f-d7ed030a755c", "name": "saml", "service": { "id": "5fa9e468-0007-4d7e-9aeb-49ca9edd6ccd" }, "config": { "assertion_consumer_path": "/consume", "validate_assertion_signature": true, "idp_sso_url": "https://login.microsoftonline.com/f177d1d6-50rf-49e0-818a-a0585cbafd8d/saml2", "issuer": "https://samltoolkit.azurewebsites.net/kong_saml" } }
Once successfully logged in, Kong Enterprise will allow access to the configured Service.
SAML is a complex XML-based protocol, and in modern terms it is considered legacy compared to the more modern OAuth 2.0 and OpenID Connect protocols. That said, SAML isn’t going away anytime soon; SAML is a widely adopted enterprise solution. For that reason Kong have invested in developing the SAML plugin, and will expand functionality and support for other SAML IdPs in the future.
Share Post
Learn how to make your API strategy a competitive advantage.