Skip to main content
Version: 3.0 (beta)

SAML

Refresh Tokens

The SAML 2.0 connector in Loft does not support refresh tokens "since the SAML 2.0 protocol doesn't provide a way to requery a provider without interaction" (see dex documentation for SAML 2.0).

  1. **Create Loft Config For SAML v2.0**

    Loft is able to use SAML v2.0 flow to identify the end user.

    To tell Loft to use SAML for SSO, navigate to Admin > Config in Loft and adjust your config as shown below:

    auth:
    # Tell loft to use saml authentication
    saml:
    #
    #
    # REQUIRED CONFIGURATION
    #
    #
    # SSO URL used for POST value.
    ssoURL: https://saml.example.com/sso
    # CA to use when validating the signature of the SAML response.
    ca: /path/to/ca.pem
    # CA's can also be provided inline as a base64'd blob.
    #
    # caData: ( RAW base64'd PEM encoded CA )
    # Callback URL in the form of https://your-loft-domain/auth/saml/callback
    redirectURI: https://loft.my.domain/auth/saml/callback
    # Name of attributes in the returned assertions to map to ID token claims.
    usernameAttr: name
    emailAttr: email
    groupsAttr: groups # optional
    #
    #
    # OPTIONAL CONFIGURATION
    #
    #
    # (Optional) List of groups to filter access based on membership
    allowedGroups: ["Admins"]
    # (Optional) To skip signature validation, uncomment the following field. This should
    # only be used during testing and may be removed in the future
    insecureSkipSignatureValidation: true
    # (Optional) Manually specify loft's Issuer value.
    # When provided loft will include this as the Issuer value during AuthnRequest.
    # It will also override the redirectURI as the required audience when evaluating
    # AudienceRestriction elements in the response.
    entityIssuer: https://loft.my.domain/auth/saml/callback
    # (Optional) Issuer value expected in the SAML response.
    ssoIssuer: https://saml.example.com/sso
    # (Optional) Delimiter for splitting groups returned as a single string.
    #
    # By default, multiple groups are assumed to be represented as multiple
    # attributes with the same name.
    #
    # If "groupsDelim" is provided groups are assumed to be represented as a
    # single attribute and the delimiter is used to split the attribute's value
    # into multiple groups.
    groupsDelim: ", "
    # (Optional) Requested format of the NameID.
    #
    # The NameID value is is mapped to the user ID of the user. This can be an
    # abbreviated form of the full URI with just the last component. For example,
    # if this value is set to "emailAddress" the format will resolve to:
    #
    # urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    #
    # If no value is specified, this value defaults to:
    #
    # urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
    #
    nameIDPolicyFormat: persistent
  2. Authenticate via SAML

    After saving the new Loft configuration, Loft will restart itself and you should be able to log in via SAML.

  3. Disable Username + Password Authentication (optional)

    To disable password-based authentication, navigate to Admin > Config add these two lines to your config:

    auth:
    oidc: ... # This is your SSO configuration (make sure this is working!)
    password:
    disabled: true # Disable password-based authentication