# Using Teleport as a SAML Identity Provider

This guide details an example on how to use Teleport as a SAML identity provider (IdP). You can set up the Teleport SAML IdP to enable Teleport users to authenticate to external services through Teleport.

## How it works

On Teleport Enterprise deployments, the Teleport SAML IdP runs as part of the Teleport Proxy Service and exposes paths of the Proxy Service HTTP API that implement a SAML IdP. You can register a third-party application with the IdP by creating a Teleport dynamic resource, the SAML IdP service provider, that includes information about the application.

## Prerequisites

- A running Teleport Enterprise cluster. If you want to get started with Teleport, [sign up](https://goteleport.com/signup) for a free trial or [set up a demo environment](https://goteleport.com/docs/get-started/deploy-community.md).

- The `tctl` and `tsh` clients.

  Installing `tctl` and `tsh` clients

  1. Determine the version of your Teleport cluster. The `tctl` and `tsh` clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at `/v1/webapi/find` and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service:

     ```
     $ TELEPORT_DOMAIN=teleport.example.com:443
     $ TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')"
     ```

  2. Follow the instructions for your platform to install `tctl` and `tsh` clients:

     **Mac**

     Download the signed macOS .pkg installer for Teleport, which includes the `tctl` and `tsh` clients:

     ```
     $ curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg
     ```

     In Finder double-click the `pkg` file to begin installation.

     ---

     DANGER

     Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security.

     ---

     **Windows - Powershell**

     ```
     $ curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zip
     Unzip the archive and move the `tctl` and `tsh` clients to your %PATH%
     NOTE: Do not place the `tctl` and `tsh` clients in the System32 directory, as this can cause issues when using WinSCP.
     Use %SystemRoot% (C:\Windows) or %USERPROFILE% (C:\Users\<username>) instead.
     ```

     **Linux**

     All of the Teleport binaries in Linux installations include the `tctl` and `tsh` clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our [installation page](https://goteleport.com/docs/installation.md).

     ```
     $ curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz
     $ tar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz
     $ cd teleport
     $ sudo ./install
     Teleport binaries have been copied to /usr/local/bin
     ```

* To check that you can connect to your Teleport cluster, sign in with `tsh login`, then verify that you can run `tctl` commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and email\@example.com to your Teleport username:
  ```
  $ tsh login --proxy=teleport.example.com --user=email@example.com
  $ tctl status
  Cluster  teleport.example.com
  Version  19.0.0-dev
  CA pin   sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
  ```
  If you can connect to the cluster and run the `tctl status` command, you can use your current credentials to run subsequent `tctl` commands from your workstation. If you host your own Teleport cluster, you can also run `tctl` commands on the computer that hosts the Teleport Auth Service for full permissions.
* If you're new to SAML, consider reviewing our [SAML Identity Provider Reference](https://goteleport.com/docs/reference/access-controls/saml-idp.md) before proceeding.
* SAML application (also known as a SAML service provider or SP) for testing. For this guide, we'll be using [RSA Simple Test Service Provider](https://sptest.iamshowcase.com/) - a free service that lets us test the Teleport SAML IdP. The test service has a protected page, which can be accessed only after a user is federated to the site with a valid SAML assertion flow. Below in this guide, we will refer to this application as the "IAMShowcase" app. ![iamshowcase protected page](/docs/assets/images/rsa-simplesp-protected-page-e8b6ecb8a92c66b4060f0028631f211b.png)

## Step 1/4. Create a role

As a first step, we will create a role which will grant permissions to manage a `saml_idp_service_provider` resource for the IAMShowcase app. The role will also grant permission to log in to this application by authenticating with Teleport. We will name this role as `saml-admin`.

In the Teleport Web UI, from the side the navigation menu, select **Zero Trust Access > Roles** menu. From the **Roles** UI, click `Create New Role` button.

Enter "saml-admin" as a role name and then click the `Next: Resources` button to move to the "Resources" tab.

In the **Resources** tab, open the dropdown menu by clicking on the `+ Add Teleport Resource Access` button, then select **Application Access**. Enter "env" as the label key and "saml-test" as the label value. In the Step 3 of this guide below, we will create a SAML service provider resource with this matching label value `env: saml-test`, limiting scope of the permissions granted by this role.

![Configure app label](/docs/assets/images/step-1-create-role-app-label-671c00a90d8c8212d11ca7842d8e9c77.png)

Click `Next: Admin Rules` button to move to the **Admin Rules** tab.

In the **Admin Rules** tab, click `+ Add New` button. In the **Teleport Resources** input box, search and select the `saml_idp_service_provider` resource. And then in the **Permissions** section, check `read, list, create, update, delete` permissions.

![Configure service provider rule verbs](/docs/assets/images/step-1-create-role-saml-resource-8ec0b7393f5250e691d8ce5ea4b49c09.png)

Click `Next: Options` button to move to next step and then click `Create Role` button to create a new role.

Reference YAML spec for the `saml-admin` role.

```
kind: role
metadata:
  name: saml-admin
spec:
  allow:
    app_labels:
      env: saml-test
    rules:
    - resources:
      - saml_idp_service_provider
      verbs:
      - read
      - list
      - create
      - update
      - delete
version: v8

```

Assign the `saml-admin` role to your Teleport user by running the appropriate commands for your authentication provider:

**Local User**

1. Retrieve your local user's roles as a comma-separated list:

   ```
   $ ROLES=$(tsh status -f json | jq -r '.active.roles | join(",")')
   ```

2. Edit your local user to add the new role:

   ```
   $ tctl users update $(tsh status -f json | jq -r '.active.username') \
     --set-roles "${ROLES?},saml-admin"
   ```

3. Sign out of the Teleport cluster and sign in again to assume the new role.

**GitHub**

1. Open your `github` authentication connector in a text editor:

   ```
   $ tctl edit github/github
   ```

2. Edit the `github` connector, adding `saml-admin` to the `teams_to_roles` section.

   The team you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the team must include your user account and should be the smallest team possible within your organization.

   Here is an example:

   ```
     teams_to_roles:
       - organization: octocats
         team: admins
         roles:
           - access
   +       - saml-admin

   ```

3. Apply your changes by saving and closing the file in your editor.

4. Sign out of the Teleport cluster and sign in again to assume the new role.

**SAML**

1. Retrieve your `saml` configuration resource:

   ```
   $ tctl get --with-secrets saml/mysaml > saml.yaml
   ```

   Note that the `--with-secrets` flag adds the value of `spec.signing_key_pair.private_key` to the `saml.yaml` file. Because this key contains a sensitive value, you should remove the saml.yaml file immediately after updating the resource.

2. Edit `saml.yaml`, adding `saml-admin` to the `attributes_to_roles` section.

   The attribute you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization.

   Here is an example:

   ```
     attributes_to_roles:
       - name: "groups"
         value: "my-group"
         roles:
           - access
   +       - saml-admin

   ```

3. Apply your changes:

   ```
   $ tctl create -f saml.yaml
   ```

4. Sign out of the Teleport cluster and sign in again to assume the new role.

**OIDC**

1. Retrieve your `oidc` configuration resource:

   ```
   $ tctl get oidc/myoidc --with-secrets > oidc.yaml
   ```

   Note that the `--with-secrets` flag adds the value of `spec.signing_key_pair.private_key` to the `oidc.yaml` file. Because this key contains a sensitive value, you should remove the oidc.yaml file immediately after updating the resource.

2. Edit `oidc.yaml`, adding `saml-admin` to the `claims_to_roles` section.

   The claim you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization.

   Here is an example:

   ```
     claims_to_roles:
       - name: "groups"
         value: "my-group"
         roles:
           - access
   +       - saml-admin

   ```

3. Apply your changes:

   ```
   $ tctl create -f oidc.yaml
   ```

4. Sign out of the Teleport cluster and sign in again to assume the new role.

## Step 2/4. Configure the service provider

This step involves configuring the SAML service provider with the Teleport SAML IdP metadata.

You can obtain the Teleport SAML IdP metadata values from the SAML application setup wizard, which is available in the Teleport Web UI.

In the Teleport Web UI, select **Add New > Resource** menu, and search for "saml application". Choose the "SAML Application (Generic)" tile.

![Enroll SAML app](/docs/assets/images/step-2-find-saml-discover-tile-d15f2e1305ca135d29875b842e65f52e.png)

As a first step of the SAML Application setup wizard, the Teleport Web UI displays the Teleport SAML IdP metadata values.

The process of SAML service provider configuration varies from service provider to service provider. Some service providers may ask to provide Teleport SAML IdP's entity ID, SSO URL and X.509 certificate explicitly. Others may ask to upload the Teleport SAML IdP metadata (SAML entity descriptor) file .

![Teleport IdP metadata](/docs/assets/images/step-2-copy-metadata-1413a403c38703b842be2b2f70caace6.png)

In the case of IAMShowcase app, which this guide is based on, it is designed to grant access to the protected page for any well formatted IdP federated SAML assertion data.

As such, we will move to the next step in the setup wizard to add the IAMShowcase app to Teleport.

## Step 3/4. Add a service provider to Teleport

To add a service provider to Teleport, you must configure a service provider metadata. This can be configured by either providing an entity ID and ACS URL values of the service provider or by providing an entity descriptor value (also known as metadata file, which is an XML file) of the service provider.

Below we'll show both of the configuration options.

### Option 1: Configure with entity ID and ACS URL

With this configuration method, Teleport first tries to fetch an entity descriptor by querying the entity ID endpoint. If an entity descriptor is not found at that endpoint, Teleport will generate a new entity descriptor with the given entity ID and ACS URL values.

To configure the IAMShowcase app, the values you need to provide are the following:

- **App Name:** `IAMShowcase`.
- **SP Entity ID / Audience URI:** `IAMShowcase`. The SAML metadata value or an endpoint of the service provider.
- **ACS URL / SP SSO URL:** `https://sptest.iamshowcase.com/acs`. The endpoint where users will be redirected after SAML authentication. ACS URL is also referred to as SAML SSO URL.
- **Label:** `env: saml-test`. Label will be used in RBAC.

![add service provider](/docs/assets/images/step-3-add-service-provider-43167eb1cb32b9681bbb5e0f0ce6ce6a.png)

Click `Finish` button. The "IAMShowcase" app is now added to Teleport.

### Option 2: Configure with Entity Descriptor file

With this option, you provide the service provider entity descriptor file, which has all the details required to configure service provider metadata.

If the service provider provides an option to download its entity descriptor file or you need more control over the entity descriptor, this is the recommended option to add a service provider to Teleport.

To configure the IAMShowcase app, the values you need to provide are the following:

- **App Name:** `IAMShowcase`.
- **Entity Descriptor:** Entity descriptor for the IAMShowcase app which is available in this URL: `https://sptest.iamshowcase.com/testsp_metadata.xml`.
- **Label:** `env: saml-test`.

![add service provider with entity descriptor](/docs/assets/images/step-3-add-service-provider-ed-34b6c673cbbcf8af03b4953496d51755.png)

Click `Finish` button. The "IAMShowcase" app is now added to Teleport.

---

IMPORTANT

If an entity descriptor is provided, its content takes preference over values provided for entity ID and ACS URL.

---

## Step 4/4. Verify access to the protected page

To verify everything works, navigate to the **Resources** page in the Teleport Web UI and search for the "IAMShowcase" app.

![Access app](/docs/assets/images/step-4-login-55a1e7e66d43beefca33b68e7f17fc8d.png)

From the "IAMShowcase" app tile, click the `Log in` button, which will forward you to the IAMShowcase app's protected page with a SAML assertion data signed by the Teleport SAML IdP.

![Protected page access](/docs/assets/images/step-4-service-provider-authenticated-page-cef061f31af6e369de7390320adbcc46.png)

This page shows Teleport user details along with other attributes such as role names that are federated by the Teleport SAML IdP, confirming a successful SAML service provider configuration in Teleport.

## Manage SAML IdP service provider resource using `tctl`

Examples of managing a `saml_idp_service_provider` resource using `tctl`.

### Create a `saml_idp_service_provider` resource

First, create a Teleport resource spec file with the following `saml_idp_service_provider` resource spec:

```
cat > iamshowcase.yaml << EOF
kind: saml_idp_service_provider
metadata:
  labels:
    env: saml-test
  # The resource name of the service provider.
  name: IAMShowcase
spec:
  acs_url: https://sptest.iamshowcase.com/acs
  entity_id: IAMShowcase
version: v1
EOF

```

Next, create a Teleport resource using the `tctl create` command:

```
$ tctl create iamshowcase.yaml
SAML IdP service provider 'IAMShowcase' has been created.
```

### Update a `saml_idp_service_provider` resource

To update the resource, first, get the latest copy of the resource spec from the Teleport cluster.

```
$ tctl get saml_idp_service_provider/IAMShowcase > iamshowcase.yaml
```

Then modify the spec by updating the `iamshowcase.yaml`, save it, and then update the Teleport resource by using the `tctl create -f` command:

```
$ tctl create -f iamshowcase.yaml
```

### List `saml_idp_service_provider` resources

To list a specific service provider:

```
$ tctl get saml_idp_service_provider/IAMShowcase
```

To list all the service providers:

```
$ tctl get saml_idp_service_provider
```

### Delete a `saml_idp_service_provider` resource

```
$ tctl rm saml_idp_service_provider/IAMShowcase
```

## Next steps

- Learn how to [control access](https://goteleport.com/docs/identity-governance/idps/saml-idp-rbac.md) to the SAML IdP service provider resource.
- Configure [SAML Attribute Mapping](https://goteleport.com/docs/identity-governance/idps/saml-attribute-mapping.md).