• The API Platform for AI.

      Explore More
      Platform Runtimes
      Kong Gateway
      • Kong Cloud Gateways
      • Kong Ingress Controller
      • Kong Operator
      • Kong Gateway Plugins
      Kong AI Gateway
      Kong Event Gateway
      Kong Mesh
      Platform Core Services
      • Gateway Manager
      • Mesh Manager
      • Service Catalog
      Platform Applications
      • Developer Portal
      • API and AI Analytics
      • API Products
      Development Tools
      Kong Insomnia
      • API Design
      • API Testing and Debugging
      Self-Hosted API Management
      Kong Gateway Enterprise
      Kong Open Source Projects
      • Kong Gateway OSS
      • Kuma
      • Kong Insomnia OSS
      • Kong Community
      Get Started
      • Sign Up for Kong Konnect
      • Documentation
    • Featured
      Open Banking SolutionsMobile Application API DevelopmentBuild a Developer PlatformAPI SecurityAPI GovernanceKafka Event StreamingAI GovernanceAPI Productization
      Industry
      Financial ServicesHealthcareHigher EducationInsuranceManufacturingRetailSoftware & TechnologyTransportation
      Use Case
      API Gateway for IstioBuild on KubernetesDecentralized Load BalancingMonolith to MicroservicesObservabilityPower OpenAI ApplicationsService Mesh ConnectivityZero Trust SecuritySee all Solutions
      Demo

      Learn how to innovate faster while maintaining the highest security standards and customer trust

      Register Now
  • Customers
    • Documentation
      Kong KonnectKong GatewayKong MeshKong AI GatewayKong InsomniaPlugin Hub
      Explore
      BlogLearning CentereBooksReportsDemosCase StudiesVideos
      Events
      API SummitWebinarsUser CallsWorkshopsMeetupsSee All Events
      For Developers
      Get StartedCommunityCertificationTraining
    • Company
      About UsWhy Kong?CareersPress RoomInvestorsContact Us
      Partner
      Kong Partner Program
      Security
      Trust and Compliance
      Support
      Enterprise Support PortalProfessional ServicesDocumentation
      Press Release

      Kong Advances Konnect Capabilities to Propel Today’s API Infrastructures into the AI Era

      Read More
  • Pricing
  • Login
  • Get a Demo
  • Start for Free
Blog
  • Engineering
  • Enterprise
  • Learning Center
  • Kong News
  • Product Releases
    • API Gateway
    • Service Mesh
    • Insomnia
    • Kubernetes
    • API Security
    • AI Gateway
  • Home
  • Blog
  • Engineering
  • Configure SAML 2.0 Single Sign-on with Kong Enterprise
Engineering
December 9, 2022
5 min read

Configure SAML 2.0 Single Sign-on with Kong Enterprise

Steve Young

What is SAML?

Security Assertion Markup Language (SAML) is an XML-based open standard that allows organizations to set up single sign-on (SSO) across multiple websites and applications. SAML 2.0 is the latest standard, and was ratified in March 2005, replacing SAML 1.1. We’ll refer to SAML as meaning SAML 2.0 for the remainder of this document.

SAML is mostly used as a web-based authentication mechanism as it relies on using the browser to broker the authentication flow. The SAML specification defines three roles:

  • A Principal (or End User)
    • Almost always a human user who is attempting to access a resource using a Browser
  • An Identity Provider (IdP)
    • A service that performs the authentication, by checking usernames and passwords, verifying account status, invoking multi-factor authentication (MFA), etc.
  • A Service Provider (SP)
    • Provides services to the end user. Relies of the IdP to assert the identity of a user

SP-initiated SSO with SAML Authentication

The Kong Enterprise SAML implementation supports the SP initiated SSO flow. This flow starts when a user tries to access a resource on the SP. If the SP detects the user doesn’t have a browser session active, it will redirect them to the IdP asking for the authentication request. The IdP will authenticate the user, and if successful, create the SAML assertion and redirect the user back to the SP.

XML messages are not exchanged directly between the IdP and SP, but via the Browser. This is described in the following sequence diagram:

alt_text

  1. Kong Enterprise initiates SSO when a user tries to access a protected Upstream Service
  2. Kong Enterprise detects if the user has an active browser session. If no session exists, Kong Enterprise creates an SAML Request, also known as an authentication request. The request can be digitally signed
  3. The User’s Browser relays the SAML authentication request to the IdP
  4. A SAML Response is generated by the IdP. This response contains the assertion of the authenticated user. This response is digitally signed and optionally encrypted.
  5. The SAML Assertion is relayed to Kong Enterprise
  6. Kong Enterprise verifies the SAML Response, and either accepts or rejects the initial request to access the Upstream Service

Advantages of SAML

SAML 2.0 is widely adopted by enterprises, for several reasons:

  • Improves the user experience, because SAML provides the ability for users to securely access multiple applications with a single set of credentials entered once
  • Reduces the risk of weak passwords because users only have one password for all systems
  • Moves the responsibility for authentication & management to the IdP, which has the ability to invest in multiple layers of security such as multi-factor authentication (MFA), session management, & user sign-on/off processes (e.g. when an employee leaves a company)
  • Reduces IT help desk costs, because users have less access issues and need less help resetting passwords

Kong SAML Plugin Configuration Options

The Kong Enterprise SAML implementation is provided using the Kong SAML plugin, which is available in Kong Enterprise v3.1+. Kong Plugins provide advanced functionality and extend the use of Kong Enterprise. Refer to the Kong Documentation Plugin Overview for more information on Kong Plugins.

The minimum configuration for the Kong SAML plugin is detailed below:

  • An IdP certificate
    • The SP needs to obtain the public certificate from the IdP to validate the signature in a SAML response. The certificate is stored on the SP and is to verify that a response is coming from the IdP
  • ACS Endpoint
    • This is the endpoint provided by the SP where SAML responses are sent. The SP needs to provide this information to the IdP
  • IdP Sign-in URL
    • This is the IdP Sign-in endpoint where the Kong SAML plugin will issue authentication requests. The SP needs to obtain this information from the IdP
  • Issuer
    • The unique identifier of the IdP application

At the time of writing this document, this plugin supports Microsoft Azure Active Directory as the SAML IdP. Please refer to the Microsoft AzureAD SAML documentation for more information about SAML authentication with Azure Active Directory.

Now let’s walk through adding SAML Authentication to a Service in Kong Enterprise using Microsoft Azure AD as the SAML IdP:

  1. Set-up a SAML Enterprise Application in Microsoft AzureAD:

    1. Create a SAML Enterprise Application. Refer to the Microsoft AzureAD documentation for more information
    2. From the Manage section of the Enterprise application in AzureAD, select “Single sign-on” and note the Identifier (Entity ID) and Login URL parameters alt_text
    3. In the “Basic SAML Configuration” tab displayed above, configure the “Reply URL (Assertion Consumer Service URL)”, for example, https://<your Kong Enterprise IP address here>:8443/aad/consume
    4. From the Manage section of Azure AD Enterprise application, select “Users and groups”, and assign users who will be able to login via SAML SSO
  2. Create an Anonymous Kong Consumer

    This permits anonymous Kong Consumer access via SAML Authentication to the Service we will configure in the next step. The anonymous consumer is configured in the SAML plugin

  1. Create a Service
  1. Create a Route
  1. Configure the SAML plugin on the Service

Replace the <AzureAD_Identity_ID>, <AzureAD_Sign_on_URL> and <AzureAD_Certificate> placeholders with the values identified in the previous steps

  1. Finally, using a Browser, go to the proxy url exposed by Kong Enterprise “https://:8443/aad”. Since the user is not authenticated, they will be redirected for authentication to Azure AD

alt_text

Once successfully logged in, Kong Enterprise will allow access to the configured Service.

Conclusion

SAML is a complex XML-based protocol, and in modern terms it is considered legacy compared to the more modern OAuth 2.0 and OpenID Connect protocols. That said, SAML isn’t going away anytime soon; SAML is a widely adopted enterprise solution. For that reason Kong have invested in developing the SAML plugin, and will expand functionality and support for other SAML IdPs in the future.

Topics:API Design
|
Kong Gateway Enterprise
Powering the API world

Increase developer productivity, security, and performance at scale with the unified platform for API management, service mesh, and ingress controller.

Sign up for Kong newsletter

Platform
Kong KonnectKong GatewayKong AI GatewayKong InsomniaDeveloper PortalGateway ManagerCloud GatewayGet a Demo
Explore More
Open Banking API SolutionsAPI Governance SolutionsIstio API Gateway IntegrationKubernetes API ManagementAPI Gateway: Build vs BuyKong vs PostmanKong vs MuleSoftKong vs Apigee
Documentation
Kong Konnect DocsKong Gateway DocsKong Mesh DocsKong Insomnia DocsKong Plugin Hub
Open Source
Kong GatewayKumaInsomniaKong Community
Company
About KongCustomersCareersPressEventsContactPricing
  • Terms•
  • Privacy•
  • Trust and Compliance
  • © Kong Inc. 2025