Endpoint

/v1/saml/settings

GET

Retrieve the current SAML integration settings.

Parameters

This resource has no parameters.

Response

Codes

Code Description
200 Return value on success

Schema

{
  "description": "api_v1_saml_settings",
  "type": "object",
  "properties": {
    "enabled": {
      "description": "When enabled, the cluster accepts SAML authentication. It is necessary first to create a SAML integration for the cluster with a third-party SSO service (that will act as a SAML Identity Provider) and obtain IdP SSO URL and X.509 certificate. Use https://cluster-fqdn/saml for the Service Provider endpoint when creating the SAML integration. The cluster must be joined to an Active Directory domain, and the SSO service must be connected to the same domain.",
      "type": "boolean"
    },
    "idp_sso_url": {
      "description": "IdP SSO URL. The cluster will send a SAML authentication request to this URL to ask for a Single Sign-On from the Identity Provider. ",
      "type": "string"
    },
    "idp_certificate": {
      "description": "IdP X.509 certificate in PEM format. The cluster will use it to validate the SAML Response received from the Identity Provider before granting the user from the response a bearer token to access the cluster.",
      "type": "string"
    },
    "idp_entity_id": {
      "description": "IdP entity ID. Must be a URI provided by the IdP. The cluster will use it to prepare correctly-formed SAML requests to the IdP and to verify that received SAML responses came from that IdP.",
      "type": "string"
    },
    "cluster_dns_name": {
      "description": "DNS name of the cluster. Must be of the form `cluster.domain.com`. The cluster uses this to correctly redirect authentication flows back to itself when the user attempts to log in to the Identity Provider.",
      "type": "string"
    },
    "require_sso": {
      "description": "If set, requires SSO for Active Directory (AD) users to be able to manage this cluster. The cluster rejects password-based authentication from AD users of the Web UI, qq CLI, and REST API. This setting does not restrict access over file protocols such as SMB.",
      "type": "boolean"
    }
  }
}

PUT

Set the SAML integration settings.

Parameters

Name Description Required
If-Match ETag for expected version No

Request

Schema

{
  "description": "api_v1_saml_settings",
  "type": "object",
  "properties": {
    "enabled": {
      "description": "When enabled, the cluster accepts SAML authentication. It is necessary first to create a SAML integration for the cluster with a third-party SSO service (that will act as a SAML Identity Provider) and obtain IdP SSO URL and X.509 certificate. Use https://cluster-fqdn/saml for the Service Provider endpoint when creating the SAML integration. The cluster must be joined to an Active Directory domain, and the SSO service must be connected to the same domain.",
      "type": "boolean"
    },
    "idp_sso_url": {
      "description": "IdP SSO URL. The cluster will send a SAML authentication request to this URL to ask for a Single Sign-On from the Identity Provider. ",
      "type": "string"
    },
    "idp_certificate": {
      "description": "IdP X.509 certificate in PEM format. The cluster will use it to validate the SAML Response received from the Identity Provider before granting the user from the response a bearer token to access the cluster.",
      "type": "string"
    },
    "idp_entity_id": {
      "description": "IdP entity ID. Must be a URI provided by the IdP. The cluster will use it to prepare correctly-formed SAML requests to the IdP and to verify that received SAML responses came from that IdP.",
      "type": "string"
    },
    "cluster_dns_name": {
      "description": "DNS name of the cluster. Must be of the form `cluster.domain.com`. The cluster uses this to correctly redirect authentication flows back to itself when the user attempts to log in to the Identity Provider.",
      "type": "string"
    },
    "require_sso": {
      "description": "If set, requires SSO for Active Directory (AD) users to be able to manage this cluster. The cluster rejects password-based authentication from AD users of the Web UI, qq CLI, and REST API. This setting does not restrict access over file protocols such as SMB.",
      "type": "boolean"
    }
  }
}

Response

Codes

Code Description
200 Return value on success

Schema

{
  "description": "api_v1_saml_settings",
  "type": "object",
  "properties": {
    "enabled": {
      "description": "When enabled, the cluster accepts SAML authentication. It is necessary first to create a SAML integration for the cluster with a third-party SSO service (that will act as a SAML Identity Provider) and obtain IdP SSO URL and X.509 certificate. Use https://cluster-fqdn/saml for the Service Provider endpoint when creating the SAML integration. The cluster must be joined to an Active Directory domain, and the SSO service must be connected to the same domain.",
      "type": "boolean"
    },
    "idp_sso_url": {
      "description": "IdP SSO URL. The cluster will send a SAML authentication request to this URL to ask for a Single Sign-On from the Identity Provider. ",
      "type": "string"
    },
    "idp_certificate": {
      "description": "IdP X.509 certificate in PEM format. The cluster will use it to validate the SAML Response received from the Identity Provider before granting the user from the response a bearer token to access the cluster.",
      "type": "string"
    },
    "idp_entity_id": {
      "description": "IdP entity ID. Must be a URI provided by the IdP. The cluster will use it to prepare correctly-formed SAML requests to the IdP and to verify that received SAML responses came from that IdP.",
      "type": "string"
    },
    "cluster_dns_name": {
      "description": "DNS name of the cluster. Must be of the form `cluster.domain.com`. The cluster uses this to correctly redirect authentication flows back to itself when the user attempts to log in to the Identity Provider.",
      "type": "string"
    },
    "require_sso": {
      "description": "If set, requires SSO for Active Directory (AD) users to be able to manage this cluster. The cluster rejects password-based authentication from AD users of the Web UI, qq CLI, and REST API. This setting does not restrict access over file protocols such as SMB.",
      "type": "boolean"
    }
  }
}

PATCH

Modify the SAML integration settings.

Parameters

Name Description Required
If-Match ETag for expected version No

Request

Schema

{
  "description": "api_v1_saml_settings_patch",
  "type": "object",
  "properties": {
    "enabled": {
      "description": "When enabled, the cluster accepts SAML authentication. It is necessary first to create a SAML integration for the cluster with a third-party SSO service (that will act as a SAML Identity Provider) and obtain IdP SSO URL and X.509 certificate. Use https://cluster-fqdn/saml for the Service Provider endpoint when creating the SAML integration. The cluster must be joined to an Active Directory domain, and the SSO service must be connected to the same domain.",
      "type": "boolean"
    },
    "idp_sso_url": {
      "description": "IdP SSO URL. The cluster will send a SAML authentication request to this URL to ask for a Single Sign-On from the Identity Provider. ",
      "type": "string"
    },
    "idp_certificate": {
      "description": "IdP X.509 certificate in PEM format. The cluster will use it to validate the SAML Response received from the Identity Provider before granting the user from the response a bearer token to access the cluster.",
      "type": "string"
    },
    "idp_entity_id": {
      "description": "IdP entity ID. Must be a URI provided by the IdP. The cluster will use it to prepare correctly-formed SAML requests to the IdP and to verify that received SAML responses came from that IdP.",
      "type": "string"
    },
    "cluster_dns_name": {
      "description": "DNS name of the cluster. Must be of the form `cluster.domain.com`. The cluster uses this to correctly redirect authentication flows back to itself when the user attempts to log in to the Identity Provider.",
      "type": "string"
    },
    "require_sso": {
      "description": "If set, requires SSO for Active Directory (AD) users to be able to manage this cluster. The cluster rejects password-based authentication from AD users of the Web UI, qq CLI, and REST API. This setting does not restrict access over file protocols such as SMB.",
      "type": "boolean"
    }
  }
}

Response

Codes

Code Description
200 Return value on success

Schema

{
  "description": "api_v1_saml_settings",
  "type": "object",
  "properties": {
    "enabled": {
      "description": "When enabled, the cluster accepts SAML authentication. It is necessary first to create a SAML integration for the cluster with a third-party SSO service (that will act as a SAML Identity Provider) and obtain IdP SSO URL and X.509 certificate. Use https://cluster-fqdn/saml for the Service Provider endpoint when creating the SAML integration. The cluster must be joined to an Active Directory domain, and the SSO service must be connected to the same domain.",
      "type": "boolean"
    },
    "idp_sso_url": {
      "description": "IdP SSO URL. The cluster will send a SAML authentication request to this URL to ask for a Single Sign-On from the Identity Provider. ",
      "type": "string"
    },
    "idp_certificate": {
      "description": "IdP X.509 certificate in PEM format. The cluster will use it to validate the SAML Response received from the Identity Provider before granting the user from the response a bearer token to access the cluster.",
      "type": "string"
    },
    "idp_entity_id": {
      "description": "IdP entity ID. Must be a URI provided by the IdP. The cluster will use it to prepare correctly-formed SAML requests to the IdP and to verify that received SAML responses came from that IdP.",
      "type": "string"
    },
    "cluster_dns_name": {
      "description": "DNS name of the cluster. Must be of the form `cluster.domain.com`. The cluster uses this to correctly redirect authentication flows back to itself when the user attempts to log in to the Identity Provider.",
      "type": "string"
    },
    "require_sso": {
      "description": "If set, requires SSO for Active Directory (AD) users to be able to manage this cluster. The cluster rejects password-based authentication from AD users of the Web UI, qq CLI, and REST API. This setting does not restrict access over file protocols such as SMB.",
      "type": "boolean"
    }
  }
}