Deployment Task


This article details the JSON body needed to create an SSO integration via a REST API (Figure A). In addition, this can be done via an alternative method using an IDP metadata XML (Figure B).


Note: This article assumes you have already set up authentication via JWT or basic authentication. Please see the Authentication API documentation.


Deployment Steps


Figure A

PUT to /api/v1/settings/SAMLSettings/SAMLSettings


{
"aqua_creds_enable": true,
"assertion_url": "https://my-aquaConsole.com/api/v1/saml_auth",
"auth_by_role": true,
"enabled": true,
"idpissuer": "<my.id.provider>",
"idpslourl": "<https://idp.SLO.url>",
"idpssourl": "<https://idp.SSO.url>",
"logout_url": "https://my-aquaConsole.com/api/v1/saml_auth/logout_response",
"signed_request": false,
"slo_enabled": <true>,
"sp_id": <"aquasec.com">,
"sso_enable": <true>,
"user_loginid": "<UserNameClaim>",
"user_role": "<GroupClaim>",
"x509cert": "<Mycertificate>",
"role_mapping": {"AquaRole1":"<idp-group1>", "AquaRole2":"<idp-group2>",}
}


Field Description


"aqua_creds_enable": true,
"assertion_url": ConsoleURL with the api extension /api/v1/saml_auth",
"auth_by_role": true,
"enabled": [true or false] to enable the SSO integration,
"idpissuer": IDP issuer URL
"idpslourl": IDP Single Log Out URL
"idpssourl": "IDP SSO URL
"logout_url": "https://my-aquaConsole.com/api/v1/saml_auth/logout_response",
"signed_request": false,
"slo_enabled": [true or false] to enable Single Log Out
"sp_id": Identity of the service provider Default: aquasec.com
"sso_enable": [true or false] to enables the SSO button on the UI
"user_loginid": The claim attribute provided by the IDP for the user ID
"user_role": The claim attribute provided by the IDP to compare with Aqua's Role mapping
"x509cert": IDP certificate
"role_mapping": Role mapping list to associate the roles in Aqua to the user_rule from the assertion



Figure B

POST to /api/v1/settings/saml_auth/idpfile

{"file":"<XML-METADATA-FILE-CONTENT>"}