TeleportSAMLConnector
resources.teleport.dev / v2
apiVersion: resources.teleport.dev/v2
kind: TeleportSAMLConnector
metadata:
name: example
apiVersion
string
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind
string
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata
object
spec object
SAMLConnector resource definition v2 from Teleport
acs
string
AssertionConsumerService is a URL for assertion consumer service on the service provider (Teleport's side).
allow_idp_initiated
boolean
AllowIDPInitiated is a flag that indicates if the connector can be used for IdP-initiated logins.
assertion_key_pair object
EncryptionKeyPair is a key pair used for decrypting SAML assertions.
cert
string
Cert is a PEM-encoded x509 certificate.
private_key
string
PrivateKey is a PEM encoded x509 private key.
attributes_to_roles []object
AttributesToRoles is a list of mappings of attribute statements to roles.
name
string
Name is an attribute statement name.
roles
[]string
Roles is a list of static teleport roles to map to.
value
string
Value is an attribute statement value to match.
audience
string
Audience uniquely identifies our service provider.
cert
string
Cert is the identity provider certificate PEM. IDP signs `<Response>` responses using this certificate.
client_redirect_settings object
ClientRedirectSettings defines which client redirect URLs are allowed for non-browser SSO logins other than the standard localhost ones.
allowed_https_hostnames
[]string
a list of hostnames allowed for https client redirect URLs
insecure_allowed_cidr_ranges
[]string
a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
credentials object
SAMLConnectorCredentials configures authentication for the connector to authenticate against the identity provider for performing ancillary operations, e.g. for standalone Entra SAML connectors to authenticate against MS Graph API.
oauth object
OAuthClientCredentials holds the credentials to use for OAuth client credentials grant.
client_id
string
ClientID is the client ID to use for OAuth client credentials grant.
client_secret
string
ClientSecret is the client secret to use for OAuth client credentials grant.
display
string
Display controls how this connector is displayed.
entity_descriptor
string
EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements.
entity_descriptor_url
string
EntityDescriptorURL is a URL that supplies a configuration XML.
entra_id_groups_provider object
EntraIDGroupsProvider configures out-of-band user groups provider. It works by following through the "groups.link" SAML assertion attribute, which is sent instead of the "groups" attribute, when the user's group membership exceeds 150 max item limit.
disabled
boolean
Disabled specifies that the groups provider should be disabled even when Entra ID responds with a groups claim source. User may choose to disable it if they are using integrations such as SCIM or similar groups importer as connector based role mapping may be not needed in such a scenario.
graph_endpoint
string
GraphEndpoint is a Microsoft Graph API endpoint. The groups claim source endpoint provided by Entra ID points to the now-retired Azure AD Graph endpoint ("https://graph.windows.net"). To convert it to the newer Microsoft Graph API endpoint, Teleport defaults to the Microsoft Graph global service endpoint ("https://graph.microsoft.com"). Update GraphEndpoint to point to a different Microsoft Graph national cloud deployment endpoint.
group_type
string
GroupType is a user group type filter. Defaults to "security-groups". Value can be "security-groups", "directory-roles", "all-groups".
force_authn
string | integer
ForceAuthn specified whether re-authentication should be forced on login. UNSPECIFIED is treated as NO.
include_subject
boolean
IncludeSubject is a flag that indicates whether the Subject element is included in the SAML authentication request. Defaults to false. Note: Some IdPs will reject requests that contain a Subject.
issuer
string
Issuer is the identity provider issuer.
mfa object
MFASettings contains settings to enable SSO MFA checks through this auth connector.
cert
string
Cert is the identity provider certificate PEM. IDP signs `<Response>` responses using this certificate.
enabled
boolean
Enabled specified whether this SAML connector supports MFA checks. Defaults to false.
entity_descriptor
string
EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements. Usually set from EntityDescriptorUrl.
entity_descriptor_url
string
EntityDescriptorUrl is a URL that supplies a configuration XML.
force_authn
string | integer
ForceAuthn specified whether re-authentication should be forced for MFA checks. UNSPECIFIED is treated as YES to always re-authentication for MFA checks. This should only be set to NO if the IdP is setup to perform MFA checks on top of active user sessions.
issuer
string
Issuer is the identity provider issuer. Usually set from EntityDescriptor.
sso
string
SSO is the URL of the identity provider's SSO service. Usually set from EntityDescriptor.
preferred_request_binding
string
PreferredRequestBinding is a preferred SAML request binding method. Value must be either "http-post" or "http-redirect". In general, the SAML identity provider lists request binding methods it supports. And the SAML service provider uses one of the IdP supported request binding method that it prefers. But we never honored request binding value provided by the IdP and always used http-redirect binding as a default. Setting up PreferredRequestBinding value lets us preserve existing auth connector behavior and only use http-post binding if it is explicitly configured.
provider
string
Provider is the external identity provider.
service_provider_issuer
string
ServiceProviderIssuer is the issuer of the service provider (Teleport).
signing_key_pair object
SigningKeyPair is an x509 key pair used to sign AuthnRequest.
cert
string
Cert is a PEM-encoded x509 certificate.
private_key
string
PrivateKey is a PEM encoded x509 private key.
single_logout_url
string
SingleLogoutURL is the SAML Single log-out URL to initiate SAML SLO (single log-out). If this is not provided, SLO is disabled.
sso
string
SSO is the URL of the identity provider's SSO service.
user_matchers
[]string
UserMatchers is a set of glob patterns to narrow down which username(s) this auth connector should match for identifier-first login.
status object
Status defines the observed state of the Teleport resource
conditions []object
Conditions represent the latest available observations of an object's state
lastTransitionTime
string required
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format:
date-time
message
string required
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength:
32768
observedGeneration
integer
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format:
int64minimum:
0
reason
string required
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
pattern:
^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$minLength:
1maxLength:
1024
status
string required
status of the condition, one of True, False, Unknown.
enum:
True, False, Unknown
type
string required
type of condition in CamelCase or in foo.example.com/CamelCase.
pattern:
^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$maxLength:
316
teleportResourceID
integer
format:
int64No matches. Try .spec.acs for an exact path