This document is forplatform administrators, or whoever manages identity setup in your organization. It explains how to configure your chosenSecurity Assertion Markup Language (SAML) identity provider for authentication to Kubernetes clusters that aren'ton Google Cloud.

Register a client application with your provider

During the authentication flow, the cluster uses the followinginformation to verify and redirect users:

• EntityID - This is a unique identifier that represents the clusterauthentication mechanism for the provider. This is derived from the URL of the API server. For example, if theAPISERVER-URL ishttps://cluster.company.com, then theEntityID should behttps://cluster.company.com:11001. Note that the URL has no trailing slashes.
• AssertionConsumerServiceURL - This is the callback URL. The response is forwarded to this URL after the provider authenticates the user. For example, if theAPISERVER-URL ishttps://cluster.company.com, then theAssertionConsumerServiceURL should behttps://cluster.company.com:11001/saml-callback.

Provider setup information

This section provides steps for registering a client application withMicrosoft Entra ID. If you use a different identity provider, see the provider'sdocumentation to set up a client application.

1. If you haven't done so already,Set up a Microsoft Entra tenant.
2. Register an application in Microsoft Entra ID.
3. In the Microsoft Entra admin center, open theApp registrations pageand select your application. The application overview page opens.
4. In the navigation menu, clickAuthentication.
5. In thePlatform configurations section, selectEnterprise Applications.
6. In theSet up Single Sign-On with SAML, edit theBasic SAML Configuration.
7. In theIdentifier (Entity ID) section, selectAdd Identifier.
8. Enter theEntityID andReply URL that you derived fromRegister a client application with your provider
9. ClickSave to save these settings.
10. Review theAttributes & Claims section to add any new attributes.
11. In theSAML Certificates section, clickCertificate (Base64) to download the identity provider certificate.
12. In theSet up app section, copy theLogin URL andAzure AD identifier.

Set SAML assertion lifespan

For enhanced security, configure your SAML provider to issue assertions with ashort lifespan, such as 10 minutes. This setting is configurable within yourSAML provider's settings.

Setting the lifespan to less than 5 minutes might cause login issues if theclocks between the cluster and your SAML provider aren'tsynchronized.

Share provider details

Share the following provider information with your cluster administrator forcluster setup:

• idpEntityID - This the unique identifier for the identity provider. It corresponds to the URL of the provider and is also calledAzure AD identifier.
• idpSingleSignOnURL - This is the endpoint to which the user is redirected for sign up. This is also called theLogin URL.
• idpCertificateDataList- This is the public certificate used by the identity provider for SAML assertion verification.

What's next

• Configure authentication for individual clusters
• Configure authentication for your fleet