• Enable : Enable or disable the SAML authentication
• Registration ID : SAML registration ID (Example : ping, okta…)
• Entity ID : Globally unique name for a SAML entity (Identity Provider (IdP) or Service Provider (SP))
• IDP Metadata URL : URL of SAML Metadata provide by your SAML provider
• Issuer ID : entityID field from IDP metadata (Look for tag <md:EntityDescriptor>)
• Single Logout Service : Location field from IDP metadata (Look for tag <md:SingleLogoutService, bindgins:HTTP-POST/Redirect)
• Single Signon Service : Location field from IDP metadata (Look for tag <md:SingleSignOnService, bindgins:HTTP-POST/Redirect)
• Certificate : Certificate field from the IDP metadata (Look for tag <ds:X509Certificate>)

Enabling/Disabling SAML authentication requires restarting the application

Example with Microsoft Azure

• Red : Entity ID
• Blue : Registration ID
• Green : IDP Metadata URL

IDP Metadata example :

• Red : Issuer ID
• Blue : Single Logout Service and Single Signon Service
• Green : Certificate

When a user logs in for the first time using SAML, their account will be created with no authorizations.
It is possible to define default permissions for the first login of a user via the User menu.

The Cockpit application can have multiple SAML configurations (one per tenant) based on the registration ID.
Below is a list of available URLs with SAML 2:

• /saml2/authenticate/{registrationId}
• /login/saml2/sso/{registrationId}
• /logout/saml2/slo/{registrationId}
• /saml2/service-provider-metadata/{registrationId}

It is possible to configure a SAML setup for each tenant.
If multiple SAML configurations have been set up, during login, the tenant's domain will be requested from the user to identify which tenant they wish to connect to via SAML.
The domain of a tenant is defined when it is created.

Tenant modal :

Login screen once SAML is configured :

SAML login screen with multiple SAML :