{ "description": "SAMLConnector is the Schema for the samlconnectors API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "SAMLConnector resource definition v2 from Teleport", "properties": { "acs": { "description": "AssertionConsumerService is a URL for assertion consumer service on the service provider (Teleport's side).", "type": "string" }, "allow_idp_initiated": { "description": "AllowIDPInitiated is a flag that indicates if the connector can be used for IdP-initiated logins.", "type": "boolean" }, "assertion_key_pair": { "description": "EncryptionKeyPair is a key pair used for decrypting SAML assertions.", "nullable": true, "properties": { "cert": { "description": "Cert is a PEM-encoded x509 certificate.", "type": "string" }, "private_key": { "description": "PrivateKey is a PEM encoded x509 private key.", "type": "string" } }, "type": "object", "additionalProperties": false }, "attributes_to_roles": { "description": "AttributesToRoles is a list of mappings of attribute statements to roles.", "items": { "properties": { "name": { "description": "Name is an attribute statement name.", "type": "string" }, "roles": { "description": "Roles is a list of static teleport roles to map to.", "items": { "type": "string" }, "nullable": true, "type": "array" }, "value": { "description": "Value is an attribute statement value to match.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "audience": { "description": "Audience uniquely identifies our service provider.", "type": "string" }, "cert": { "description": "Cert is the identity provider certificate PEM. IDP signs `` responses using this certificate.", "type": "string" }, "client_redirect_settings": { "description": "ClientRedirectSettings defines which client redirect URLs are allowed for non-browser SSO logins other than the standard localhost ones.", "nullable": true, "properties": { "allowed_https_hostnames": { "description": "a list of hostnames allowed for https client redirect URLs", "items": { "type": "string" }, "nullable": true, "type": "array" }, "insecure_allowed_cidr_ranges": { "description": "a list of CIDRs allowed for HTTP or HTTPS client redirect URLs", "items": { "type": "string" }, "nullable": true, "type": "array" } }, "type": "object", "additionalProperties": false }, "display": { "description": "Display controls how this connector is displayed.", "type": "string" }, "entity_descriptor": { "description": "EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements.", "type": "string" }, "entity_descriptor_url": { "description": "EntityDescriptorURL is a URL that supplies a configuration XML.", "type": "string" }, "force_authn": { "description": "ForceAuthn specified whether re-authentication should be forced on login. UNSPECIFIED is treated as NO.", "x-kubernetes-int-or-string": true }, "issuer": { "description": "Issuer is the identity provider issuer.", "type": "string" }, "mfa": { "description": "MFASettings contains settings to enable SSO MFA checks through this auth connector.", "nullable": true, "properties": { "cert": { "description": "Cert is the identity provider certificate PEM. IDP signs `` responses using this certificate.", "type": "string" }, "enabled": { "description": "Enabled specified whether this SAML connector supports MFA checks. Defaults to false.", "type": "boolean" }, "entity_descriptor": { "description": "EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements. Usually set from EntityDescriptorUrl.", "type": "string" }, "entity_descriptor_url": { "description": "EntityDescriptorUrl is a URL that supplies a configuration XML.", "type": "string" }, "force_authn": { "description": "ForceAuthn specified whether re-authentication should be forced for MFA checks. UNSPECIFIED is treated as YES to always re-authentication for MFA checks. This should only be set to NO if the IdP is setup to perform MFA checks on top of active user sessions.", "x-kubernetes-int-or-string": true }, "issuer": { "description": "Issuer is the identity provider issuer. Usually set from EntityDescriptor.", "type": "string" }, "sso": { "description": "SSO is the URL of the identity provider's SSO service. Usually set from EntityDescriptor.", "type": "string" } }, "type": "object", "additionalProperties": false }, "preferred_request_binding": { "description": "PreferredRequestBinding is a preferred SAML request binding method. Value must be either \"http-post\" or \"http-redirect\". In general, the SAML identity provider lists request binding methods it supports. And the SAML service provider uses one of the IdP supported request binding method that it prefers. But we never honored request binding value provided by the IdP and always used http-redirect binding as a default. Setting up PreferredRequestBinding value lets us preserve existing auth connector behavior and only use http-post binding if it is explicitly configured.", "type": "string" }, "provider": { "description": "Provider is the external identity provider.", "type": "string" }, "service_provider_issuer": { "description": "ServiceProviderIssuer is the issuer of the service provider (Teleport).", "type": "string" }, "signing_key_pair": { "description": "SigningKeyPair is an x509 key pair used to sign AuthnRequest.", "nullable": true, "properties": { "cert": { "description": "Cert is a PEM-encoded x509 certificate.", "type": "string" }, "private_key": { "description": "PrivateKey is a PEM encoded x509 private key.", "type": "string" } }, "type": "object", "additionalProperties": false }, "single_logout_url": { "description": "SingleLogoutURL is the SAML Single log-out URL to initiate SAML SLO (single log-out). If this is not provided, SLO is disabled.", "type": "string" }, "sso": { "description": "SSO is the URL of the identity provider's SSO service.", "type": "string" }, "user_matchers": { "description": "UserMatchers is a set of glob patterns to narrow down which username(s) this auth connector should match for identifier-first login.", "items": { "type": "string" }, "nullable": true, "type": "array" } }, "type": "object", "additionalProperties": false }, "status": { "description": "Status defines the observed state of the Teleport resource", "properties": { "conditions": { "description": "Conditions represent the latest available observations of an object's state", "items": { "description": "Condition contains details for one aspect of the current state of this API Resource.", "properties": { "lastTransitionTime": { "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", "maxLength": 32768, "type": "string" }, "observedGeneration": { "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "minimum": 0, "type": "integer" }, "reason": { "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", "maxLength": 1024, "minLength": 1, "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", "type": "string" }, "status": { "description": "status of the condition, one of True, False, Unknown.", "enum": [ "True", "False", "Unknown" ], "type": "string" }, "type": { "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", "maxLength": 316, "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", "type": "string" } }, "required": [ "lastTransitionTime", "message", "reason", "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "teleportResourceID": { "format": "int64", "type": "integer" } }, "type": "object", "additionalProperties": false } }, "type": "object" }