Deployment Task

This article details the JSON body needed to create an SSO integration via a REST API (Figure A). In addition, this can be done via an alternative method using an IDP metadata XML (Figure B).

Note: This article assumes you have already set up authentication via JWT or basic authentication. Please see the Authentication API documentation.

Deployment Steps

Figure A

PUT to /api/v1/settings/SAMLSettings/SAMLSettings

"aqua_creds_enable": true,
"assertion_url": "",
"auth_by_role": true,
"enabled": true,
"idpissuer": "<>",
"idpslourl": "<https://idp.SLO.url>",
"idpssourl": "<https://idp.SSO.url>",
"logout_url": "",
"signed_request": false,
"slo_enabled": <true>,
"sp_id": <"">,
"sso_enable": <true>,
"user_loginid": "<UserNameClaim>",
"user_role": "<GroupClaim>",
"x509cert": "<Mycertificate>",
"role_mapping": {"AquaRole1":"<idp-group1>", "AquaRole2":"<idp-group2>",}

Field Description

"aqua_creds_enable": true,
"assertion_url": ConsoleURL with the api extension /api/v1/saml_auth",
"auth_by_role": true,
"enabled": [true or false] to enable the SSO integration,
"idpissuer": IDP issuer URL
"idpslourl": IDP Single Log Out URL
"idpssourl": "IDP SSO URL
"logout_url": "",
"signed_request": false,
"slo_enabled": [true or false] to enable Single Log Out
"sp_id": Identity of the service provider Default:
"sso_enable": [true or false] to enables the SSO button on the UI
"user_loginid": The claim attribute provided by the IDP for the user ID
"user_role": The claim attribute provided by the IDP to compare with Aqua's Role mapping
"x509cert": IDP certificate
"role_mapping": Role mapping list to associate the roles in Aqua to the user_rule from the assertion

Figure B

POST to /api/v1/settings/saml_auth/idpfile