SAML Authentication in Puppet

What is SAML?

Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). This language indicates that you can log into numerous websites using the same credentials. One login per user is considerably easier to handle than many logins for email, customer relationship management (CRM) tools, Active Directory, etc.

Extensible Markup Language (XML) is used in SAML transactions for standardized communication between the identity provider and service providers. The connection between a user's identity is verified, and they're permitted to utilize a service made via SAML. Let's start with SAML Authentication in Puppet.

Connect SAML Identity Provider to Puppet Enterprise

To access Puppet Enterprise with a single sign-on, establish a connection using a Security Assertion Markup Language (SAML) identity provider. The amount of login passwords users need to remember and save decreased thanks to SSO authentication, which securely centralizes important data. Depending on your identity provider, this method can connect to and set up multifactor authentication (MFA) in Puppet Enterprise.

A service known as an identity provider (IdP) stores and manages user data under a single login. Salesforce, Okta, and PingID are all SAML identity providers.

The identity provider transmits to the service provider an assertion or an XML file providing the necessary attributes for user authentication. Information about a user, such as their email address or name, is specified through attributes, which are name/value pairs.

Get URLs and Certificate

Before configuring SSO in Puppet Enterprise, you must configure the URLs and a Signing and Encryption certificate provided by Puppet Enterprise in your identity provider. You must utilize the console to view the URLs and certificate if you haven't set up SSO yet. You can get them by using the GET /v1/saml/meta endpoint after configuring SSO. If you are promoting one, your replica's new URLs and the certificate must be specified in your IDP setup.

• Click the SSO tab on the Access control page of the console.
   
• When you click Show configuration information, take note of the values SAML metadata URL, SAML assertion consumer service URL, SAML Single Logout URL, and Signing and Encryption Certificate.
   
• To add the URLs and certificates to your identity provider setup, copy them.

Attribute Binding

Connects attributes in the identity provider with attribute names from Puppet Enterprise. Select the names of the characteristics for Puppet Enterprise when configuring SSO, then map those names to the relevant values in your identity provider configuration.

Although there are no predefined SAML attribute names, attribute binding guarantees that Puppet Enterprise and your identity provider may distinguish between different attributes without using the same name. You can link Puppet Enterprise to various identity providers with this capability.

Attribute binding occurs for four attributes:

• User: The login area recognizes a specific user consistently across many platforms.
   
• Email: Email address of the user.
   
• Display name: Shows the user's friendly name, which is often their first and last name.
   
• Groups: Automatically links user groups to the responsibilities allocated to them in Puppet Enterprise. The attribute corresponds to the user group's login value.

Connect to a SAML Identity Provider

• Click the SSO tab on the Access control page of the console.
   
• To configure, click.
   
• The SAML configuration reference specifies which fields are required and which are optional for each field.
   
• Make the adjustments.

Generate Token in Console

• Click the Tokens tab on the My Account page.
   
• To create a fresh token, click generate.
   
• Give your new token a description under Description.
   
• Choose how long you want your token to be valid for under Lifetime.
   
• Press ‘Get token’.
   
• Copy token.

SAML Configuration Reference

Setting name	System name (for RBAC API)	Definition
Allow duplicated attribute name?	allow_duplicated_attribute_name	Boolean value
Display name	display_name	String that identifies the IdP,
Identity provider entity ID	idp_entity_id	URL string identifying your IdP
Identity provider SLO response URL	idp_slo_response_url	Optional
Identity provider SLO URL	idp_slo_url	URL to which PE sends the single logout request
Identity provider SSO URL	idp_sso_url	URL to which PE sends authentication messages
IdP certificate	idp_certificate	The public x509 certificate of the identity provider, in PEM format.
Name ID encrypted?	name_id_encrypted	Optional
Organizational language	organizational_lang	The standard abbreviation for the preferred spoken language at your organization.
Organization display name	organizational_display_name	An alternative display name for your organization
Organization name	organizational_name	An official name for your organization
Organization URL	organizational_url	The URL for your organization.
Requested authentication context	requested_auth_context	Comma-separated list of authentication contexts
Requested authentication context comparison	requested_auth_context_comparison	Indicates to the IdP the strength of the authentication context PE provides.
Require encrypted assertions?	want_assertions_encrypted	Boolean value
Require name ID encrypted?	want_name_id_encrypted	Boolean value
Require signed assertions?	want_assertions_signed	Boolean value
Require signed messages?	want_messages_signed	Boolean value
Signature algorithm	signature_algorithm	Indicates which signing algorithm PE uses to sign messages.
Sign authentication requests?	authn_request_signed	Optional
Sign logout requests?	logout_request_signed	Optional
Sign logout response?	logout_response_signed	Optional
Sign metadata?	sign_metadata	Boolean value
Support contact email address	support_email	The email address of the main support contact at your organization.
Support contact name	support_name	The name of the main support contact at your organization.
Technical contact email address	technical_support_email	The email address of the main technical contact at your organization.
Technical contact name	technical_support_name	The name of the main technical contact at your organization.
User display name attribute binding	user_display_name_attr	Identifies the attribute that maps to the user's displayable name.
User email attribute binding	user_email_attr	Identifies the attribute that maps to the user's email address.
User group lookup attribute binding	group_lookup_attr	Identifies the attribute that maps to the set of user groups a user belongs to.
User lookup attribute binding	user_lookup_attr	Identifies the attribute that maps to the login value users provide on the login page.
Validate xml?	want_xml_validation	Boolean value

 

What is Microsoft ADFS?

Active Directory Federation Service (ADFS) enables Federated Identity and Access Management by securely sharing digital identity and entitlements rights across security and enterprise boundaries. To provide clients, partners, and suppliers with a simplified user experience when accessing an organization's web-based applications, ADFS extends the capability to use single sign-on functionality available within a single security or enterprise boundary to Internet-facing apps.

Connect Microsoft ADFS to Puppet Enterprise

Now, let's see how we can connect Microsoft ADFS to puppet enterprise

Connect to ADFS in the Puppet Enterprise console

• Click the SSO tab on the Access control page of the console.
   
• To configure, click.
   
• As outlined in the ADFS setup reference, enter the configuration data. Complete the Organization and Contacts sections completely.
   
• Make the adjustments.

ADFS Configuration Values

Setting	Maps to	ADFS configuration value
Display name	display_name	Example: "ADFS"
Identity provider entity ID	idp_entity_id	An HTTP or HTTPS URL indicating the ADFS Identifier.
Identity provider SSO URL	idp_sso_url	The ADFS Single Sign On URL.
Identity provider SLO URL	idp_slo_url	The ADFS Single Sign On URL
Identity provider SLO response URL	idp_slo_response_url	The same as the ADFS SLO URL.
IdP certificate	idp_certificate	The ADFS Token Signing certificate.
Name ID encrypted?	name_id_encrypted	true
Sign authentication requests?	authn_request_signed	true
Sign logout response?	logout_response_signed	true
Sign logout requests?	logout_request_signed	true
Require signed messages?	want_messages_signed	false
Require signed assertions?	want_assertions_signed	true
Sign metadata?	sign_metadata	true
Require encrypted assertions?	want_assertions_encrypted	true
Require name ID encrypted?	want_name_id_encrypted	true
Requested authentication context	requested_auth_context	urn:oasis:names:tc:SAML:2.0:ac:classes: PasswordProtectedTransport
Requested authentication context comparison	requested_auth_context_comparison	exact
Allow duplicated attribute name?	allow_duplicated_attribute_name	false
Validate xml?	want_xml_validation	true
Signature algorithm	signature_algorithm	rsa-sha256

 

Add the Relying Party Trust for Puppet Enterprise to ADFS

• Copy the SAML Metadata URL by selecting the SSO tab, Show configuration information, and copying it from the Puppet Enterprise console's Access Control page.
   
• Click Relying Party Trusts and Add Relying Trust Party > Claims in the ADFS Management console.
   
• Click Start after the wizard has launched.
   
• Click Next after entering the SAML Metadata URL and choosing to import relying party data published online or on a local network.
   
• Click Next after entering a Display name for your Puppet Enterprise server and remembering it for later use.
   
• Click Next after accepting the Access Control Policy's default settings.
   
• Add a Trust page.
   
• Click Close.

Configure the Claim Issuance Policy in ADFS

• In the ADFS console, click Relying Party Trusts.
   
• Select Puppet Enterprise and click Edit Claim Issuance Policy.
   
• Add a rule attributes as claims:
  Claim rule template
  Claim rule name
  Attribute store
   
• In the LDAP attribute mapping table, select these options from the drop-down:
  SAM-Account-Name: Common Name
  Display-Name: Name
  E-Mail-Addresses: E-mail Address
  SAM-Account-Name: Name ID
   
• Rule to send group membership:
  Claim rule template
  Claim rule name
  User's Group
  Outgoing claim type
  Outgoing claim value

Configure an RBAC Group and Role in Puppet Enterprise

• Click the User groups tab on the Access control page of the console.
   
• Enter the name in the Login area, then select Add Group.
   
• After selecting the User roles tab, select the role to which you wish to add the group. Consider viewers.
   
• Select your ADFS user group from the drop-down list by clicking the Member groups option.
   
• After adding a group, click "Commit Changes".
   
• RBAC roles should be added for additional ADFS user groups at your company.

Test your SSO Connection

• Log out of Puppet Enterprise.
   
• Go to the Puppet Enterprise login screen and sign in with ADFS SSO.
   
• Log in to Puppet Enterprise using your ADFS credentials.

What is Okta?

Okta is a customizable, secure, drop-in solution to add authentication and authorization services to your applications. Get scalable authentication built into your application without the development overhead, security risks, and maintenance from building it yourself.

You can connect any application in any language or on any stack to Okta and define how you want your users to sign in. Okta will verify their identity and send the required information back to your app whenever a user tries to authenticate.

Connect Okta to Puppet Enterprise

Connect Okta to Puppet Enterprise so users can log in to Puppet Enterprise with their Okta credentials.

Configure the Okta Application

• Navigate to Applications > Create App Integration after logging into the Okta Admin Console.
   
• Start the App Integration Wizard.
   
• After this, select SAML 2.0 as the sign-in option.
   
• Put Puppet Enterprise in the App name field under the General Settings tab, and click Next.
   
• On the tab labeled Configure SAML, perform the following operations:
   
• In the Single Sign On URL column, paste the SAML assertion consumer service (ACS) URL from Puppet Enterprise.
   
• Enter the Audience URI (SP Entity ID) box with the SAML metadata URL from PE.
   
• Set the Default RelayState if desired.
   
• Choose an application username and a Name ID format.
   
• To enter parameters that will eventually be matched to service provider configuration settings in Puppet Enterprise, select Advanced Settings.
   
• Choose options for the Assertion Encryption, Signature Algorithm, Digest Algorithm, and Response.
   
• The SAML Single Logout URL from PE should be pasted into the Single Logout URL field after selecting Allow the application to initiate Single Logout.
   
• Into the SP Issuer field, paste the SAML assertion consumer service (ACS) URL copied from Puppet Enterprise.
   
• Upload the signing and encryption certificate from Puppet Enterprise in a single file signature certificate.
   
• Set up the Honor Force Authentication, Authentication context class, Assertion Inline Hook, and SAML Issuer ID.
   
• After clicking Next and finishing the survey if desired, click Finish.
   
• From the How to Configure SAML 2.0 for Puppet Enterprise Application page, copy the URLs and download the certificate. You will require this information to connect to Okta in the Puppet Enterprise console.

Connect to Okta in the Puppet Enterprise Console

• In the Access control page, click the SSO tab.
   
• Click Configure.
   
• Enter Display Name.
   
• Complete the Identity provider information fields:
  Identity provider entity ID
  Identity provider SSO URL
  Identity provider SLO URL
  Identity provider SSO response URL
  Identity provider certificate
   
• Configure the Service provider configuration options as follows:
  Is name ID encrypted?: Yes
  Require signed messages?: Yes
  Require signed assertions?: Yes
  Require encrypted assertions?: No
  Require name ID encryption?: No
  Sign authentication requests?: Yes
  Sign logout response?: Yes
  Sign logout requests?: Yes
  Sign metadata?: Yes
  Signature algorithm: Must match the Signature Algorithm setting you chose in Okta, such as rsa-sha256
   
• Enter the contacts and organization data.
   
• The values in the fields used for attribute binding must match those in the corresponding Okta fields.
  When PE uses these settings to comprehend user information received from Okta, they construct attributes and relate them to user information in Okta.
  These specifics can be retrieved from Okta or given to you by your administrator for Okta. To fill the Attribute binding fields in PE with values from the Name fields in Okta, go to Applications > SAML General > Advanced settings > Attribute Statements.
   
• Submit your modifications.

Configure RBAC for Okta Integration

• Click the User roles tab on the Access control page of the console.
   
• To attach a Puppet Enterprise role to an Okta user group, click its name.
   
• Choose the Okta data from the User name drop-down option on the Member users tab, for example, $(user.firstName) $(user.lastName).
   
• The Attribute Statements data in Okta is where the value for this option comes from. Check the Attribute binding settings in Puppet Enterprise if there isn't a value matching that description in the drop-down selection.
   
• Following the user name selection, the Login and Status sections are filled out automatically.
   
• Select the appropriate Okta group from the Group name drop-down option on the Member groups tab.
   
• Make the modifications.
   
• Configure more groups by repeating the process.

Test your Okta SSO Connection

• Log out of Puppet Enterprise.
   
• Go to the Puppet Enterprise login screen and click Sign in with Okta SSO.
   
• Log in to Puppet Enterprise using your Okta credentials.

Frequently Asked Questions

What is Puppet?

Puppet is a software configuration management tool. It is a platform to configure the system and software settings. Puppet has its declarative language to manage the settings. You do not need much knowledge of programming to use Puppet. 

What is Puppet Enterprise?

The Puppet's commercial version, Puppet Enterprise (PE), is based on the Puppet platform. You may handle the configuration of thousands of nodes using both solutions. This is accomplished through open-source Puppet's intended state management.

How does SAML Authentication in Puppet work?

The service provider asks the provider for authorization and authentication. The user must log in once because SAML is the common language used by both platforms. Each identity provider and service provider must approve the setup for SAML.

Can I authorize using SAML?

You can, indeed. The Client can ask the Authorization Server to access the Resource Server by providing a SAML assertion obtained from the IdP. Once the identity has been confirmed, the authorization server can return an OAuth token in the HTTP header so that the user can access the protected resource.

Is Puppet a tool for ongoing monitoring?

It continuously checks the server for configurations, and if any are changed, it instantly switches the hosts' configuration to one that has been pre-defined. It has control over a large number of infrastructures, allowing centralized configurations to be applied to each one.

Conclusion

In the article, we learned about SAML Authentication in Puppet. 
We hope this article on SAML Authentication in Puppet helped you understand the concept of puppets. Check out our other blogs on the topic of Puppet:

• Installing and Configuring Puppet Enterprise
• Accessing Console in Puppet
• Managing Access in Puppet
• LDAP Authentication in Puppet
• Token-based authentication in Puppet
   

Refer to our guided paths on Coding Ninjas Studio to learn about Data Structure and Algorithms, Competitive Programming, JavaScript, etc. Enroll in our courses and refer to our mock test available. Have a look at the interview experiences and interview bundle for placement preparations.

Happy Coding!