scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-29 09:42:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

doc updates to include new fields for SAML sig validation (#29195)

Browse Source 
* doc updates to include new fields for SAML sig validation

* edit description

* changes

* remove extra option of validating both options
This commit is contained in:
himran92
2025-01-22 17:03:07 -05:00
committed by GitHub
parent 13c445bd45
commit 31499884c4
2 changed files with 16 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
website/content/api-docs/auth/saml.mdx
View File

@@ -51,6 +51,14 @@ Configures the auth method with a SAML identity provider.
according to the current logging level. When `verbose_logging` is `true`,
debug-level logs provide user attributes and trace-level logs provide the full
SAML response.
- `validate_response_signature` `(bool, false)` - Enables validation of signature
for at least response in the SAML response. If your IDP allows signing both response
and assertion, then recommendation is to opt in for validating signatures of both
by enabling both options.
- `validate_assertion_signature` `(bool, false)` - Enables validation of signature
for at least assertion in the SAML response. If your IDP allows signing both response
and assertion, then recommendation is to opt in for validating signatures of both
by enabling both options.
### Sample payload
@@ -106,6 +114,8 @@ $ curl \
"default_role": "admin",
"entity_id": "https://my.vault/v1/auth/saml",
"idp_metadata_url": "https://company.okta.com/app/abc123eb9xnIfzlaf697/sso/saml/metadata"
"validate_assertion_signature" : false,
"validate_response_signature" : false
},
"warnings": null
}

7
website/content/docs/auth/saml/index.mdx
View File

@@ -92,6 +92,11 @@ management tool.
entity_id="https://my.vault/v1/auth/saml" \
acs_urls="https://my.vault/v1/auth/saml/callback"
```
<Note>
The config has boolean options to validate the SAML response signature, as `validate_response_signature` and
`validate_assertion_signature`. By default, it's validated that at least one out of response or assertion is signed.
If your IDP allows signing both then the recommended secure approach is to enable both the options.
</Note>
1. Create a named role:
@@ -190,4 +195,4 @@ You can read more at the Microsoft identity platform's
## API
The SAML authentication plugin has a full HTTP API. Refer to the
[SAML API documentation](/vault/api-docs/auth/saml) for more details.
[SAML API documentation](/vault/api-docs/auth/saml) for more details.