SAML SSO for self-hosted Pulumi Cloud
The self-hosted option allows you to control various aspects of the Pulumi Cloud including how users will sign in to the Pulumi Cloud.
Creating The Keys
Before you can use SAML SSO to logon to the Console, you will need to ensure that the API service has a pair of keys that will be used to sign and validate requests/responses, regardless of the IdP you choose to use.
The credentials are a public/private key pair that are supplied as environment variables to the API service.
In the following snippets, we show you how you can generate a key pair by using openssl
.
The snippet shows the command for a self-hosted API service that is accessible via api.company.com
.
Be sure to adjust the value accordingly.
OpenSSL’s official wiki site contains links to pre-built binaries.
# Generate a new 2048-bit RSA key with a validity of 365 days.
openssl \
req -x509 -newkey rsa:2048 \
-days 365 -nodes -subj "/CN=api.company.com" \
-keyout cert.key \
-out cert.cert
If you also want to additionally specify an SAN (Subject Alternative Name) for your public cert, you can do so by passing the -addext
flag as shown below.
For this to work, though, you’ll need to install at least version 1.1. Once installed ensure that the 1.1 version is on your path when you run the command. Otherwise
-addext
will not be recognized as a valid flag.
openssl \
req -x509 -newkey rsa:2048 \
-days 365 -nodes -subj "/CN=api.company.com" \
-keyout cert.key \
-addext "subjectAltName=DNS:anotherdomain.company.com" \
-out cert.cert
Configure The API Service
Once the key pair has been generated, set the value of the following environment variables for the API service:
SAML_CERTIFICATE_PUBLIC_KEY
should be set to the value of the cert.cert
file, i.e. the public key file.
SAML_CERTIFICATE_PRIVATE_KEY
should be set to the value of the cert.key
file, i.e. the private key file.
For these values to take effect, you will need to restart the API Service.
Restart the service only during a planned maintenance window.
Enabling SAML SSO as an identity option
By default, the SAML SSO signin/signup option is not displayed to end users of the Console service.
To enable this, set the SAML_SSO_ENABLED
environment variable for the console container to true
and restart the service.
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.