Apply for invite to IaCP

External Authentication

SAML Integration

Integration with Scalr

When SAML is activated, it will move the authentication step outside of Scalr and hand it over to the SAML server that you have configured. During sign in to Scalr, the user will be transferred to a sign in page provided by the SAML server. After sign in, the user will then be redirected back to Scalr which will subsequently treat the user as signed in. Each account in Scalr can have a separate SAML provider if your organization requires it.

Configuration

To enable SAML, you must configure it at the global scope of the Scalr UI. To do this:

  1. Log in as a global admin, click on the Scalr icon on the top left and go to IAM -> identity providers:

    ../_images/saml_setup.png
  2. Note down the SP endpoint as that will be used with the SAML provider. For example: https://scalr.server/public/saml/idp-sp986542njcvhjv78?metadata and https://scalr.server/public/saml/idp-sp986542njcvhjv78?acs

  3. Fill in the fields required by your SAML provider.

  4. After you save the SAML configuration, link the provider to an account:

    ../_images/saml_account.png

Note

In the event you need to log in with a local administrator, add the following to the end of your Scalr url to avoid the SAML login screen: #?no-login-redirect (https://your.scalrserver.com#?no-login-redirect)

Okta Example

Note

Scalr supports all SAML providers, this is just an example of a commonly used one.

  1. Go to Okta’s administration interface by pressing the “Admin” button within the Okta UI:

    ../_images/okta_admin.png
  2. Select Applications > Applications from the toolbar:

    ../_images/okta_app.png
  3. Select “Add Application”:

    ../_images/okta_add_app.png
  4. Select “Create New App”:

    ../_images/okta_new_app.png
  5. Select SAML 2.0 in the “Create a new application integration” dialogue message:

    ../_images/saml2.png
  6. Enter the “App name”, then select Next:

    ../_images/saml_app_name.png
  7. Configure SAML settings. Fill in the form as shown in the example below. Be sure to swap out the example URL host with your own Scalr server. Ensure the “Group Attribute Statements (Optional)” field is populated in order for the user groups to be sent to Scalr correctly. It’s extremely important to correctly enter the “Attribute name”, “Format”, and “Filter” option as shown below:

    ../_images/configure_saml.png
  8. Finishing SAML integration:

    ../_images/okta_finish.png
  9. When complete, you will be forwarded to a Sign On page where the SAML Service Provider configuration options link can be found. Click “View Setup Instructions” to see details:

    ../_images/okta_instructions.png
  10. Enter the following settings in to the SAML setup in the Scalr UI. Be sure to use the ID and URL that you obtained previously:

  1. Everything else can be left as the default setting. If there is more than one authentication method, users will be prompted to select their method when logging into Scalr:

    ../_images/login.png

Users and Teams with SAML

After Scalr has been reconfigured for SAML, users and teams work as follows.

  1. Teams map to AD/LDAP groups. Account admins still have to create teams in Scalr but the team name will be validated against the groups in AD/LDAP, so the team name must match the group name.

  2. Teams must linked to at least one environment

  3. Once a team has been linked, any member of the related LDAP group can attempt to login to Scalr. On first login a user record gets created in Scalr and set as LDAP authenticated.

  4. Scalr admin can still create Scalr authenticated users to act as global and account admins. SAML authenticated users can also be set as global and account admins.

  5. If a user has access to more than one account, they will be prompted to select an account during login.


LDAP Integration

Integration with Scalr

When LDAP is activated, it will move the authentication and user management outside of Scalr and hand it over to the LDAP server that you have configured. Each account in Scalr can have a separate LDAP provider if your organization requires it.

Configuration

To enable LDAP, you must configure it at the global scope of the Scalr UI. To do this:

  1. Log in as a global admin, click on the Scalr icon on the top left and go to IAM -> identity providers:

    ../_images/ldap_setup.png
  2. Fill in the fields required by your LDAP server.

  3. After you save the LDAP configuration, link the provider to an account:

    ../_images/ldap_account.png

Users and Teams with LDAP

After Scalr has been reconfigured for LDAP, users and teams work as follows.

  1. Teams map to AD/LDAP groups. Account admins still have to create teams in Scalr but the team name will be validated against the groups in AD/LDAP, so the team name must match the group name.

  2. Teams must linked to at least one environment

  3. Once a team has been linked, any member of the related LDAP group can attempt to login to Scalr. On first login a user record gets created in Scalr and set as LDAP authenticated.

  4. Scalr admin can still create Scalr authenticated users to act as global and account admins. SAML authenticated users can also be set as global and account admins.

  5. If a user has access to more than one account, they will be prompted to select an account during login.