Configure SAML and OIDC providers for Chalk
Before configuring SAML, please ensure that you have the information for configuring your SAML provider. For Okta, please view this documentation.
To configure SAML for your Chalk deployment, you will need to add the following information to your values.yaml:
chalk:
metadata:
frontend:
custom_auth_providers: '[{"id":"YOUR TEAM ID","type":"saml","name":"Okta"}]'
saml_issuer: SAML_ISSUER
saml_login_url: SAML_LOGIN_URL
saml_logout_url: SAML_LOGOUT_URL
saml_team: YOUR TEAM ID
idp_saml_cert: |
-----BEGIN CERTIFICATE-----
<your saml cert here>
-----END CERTIFICATE-----
IDP SAML cert is the certificate that your SAML provider uses to sign the SAML responses. This is typically found in, e.g., the Okta web UI.
Note: this configuration must be aligned with the SAML_CERT and SAML_KEY that you used to configure your SAML
provider. By default, Chalk automatically generates a unique SAML_CERT and SAML_KEY in the chalk-generated-secrets
secret object.
To configure OIDC for your Chalk deployment, you will need to add the following information to your values.yaml:
chalk:
metadata:
frontend:
custom_auth_providers: '[{"id":"YOUR TEAM ID","type":"oauth","name":"PROVIDER NAME"}]'
where PROVIDER NAME is the name of the provider you are configuring. The acceptable values for PROVIDER NAME are:
googleazure-adgithubkeycloakYou will also need to add the following information to your chalk-frontend-secrets secret:
GOOGLE_CLIENT_ID=YOUR_GOOGLE_CLIENT_ID
GOOGLE_CLIENT_SECRET=YOUR_GOOGLE_CLIENT_SECRET
AZURE_AD_CLIENT_ID=YOUR_AZURE_AD_CLIENT_ID
AZURE_AD_CLIENT_SECRET=YOUR_AZURE_AD
AZURE_AD_TENANT_ID=YOUR_AZURE_AD_TENANT_ID
GH_CLIENT_ID=YOUR_GITHUB_CLIENT_ID
GH_CLIENT_SECRET=YOUR_GITHUB_CLIENT_SECRET
Note: this configuration is for Keycloak operating as an OIDC provider, rather than a SAML provider.
KEYCLOAK_CLIENT_ID=YOUR_KEYCLOAK_CLIENT_ID
KEYCLOAK_CLIENT_SECRET=YOUR_KEYCLOAK_CLIENT_SECRET