Background
Federated authentication is a must to virtually all organizations beyond a certain size. Microsoft's Active Directory product has been a long time gold standard for managing an enterprise's users and their access permissions, and Azure Active Directory is its direct cloud counterpart. k6 Cloud integrates with Azure AD to provide organizations with a compliant way to handle on- and offboarding of team members to the service.
What is SAML?
Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an Identity Provider (e.g. Azure AD) and a Service Provider (e.g. k6 Cloud). SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions).
Read more over at Wikipedia.
Prerequisites
To setup Azure AD SAML SSO based authentication to k6 Cloud you must have:
- A Team plan or above and the SAML SSO add-on(\$), alternatively be on an Enterprise plan.
- An Azure AD Premium Subscription.
Configuration
Navigate to https://portal.azure.com/.
Log in to Azure and go to "Azure Active Directory" tab.
Select the "Enterprise applications" service.
Click on the "New application" button.
Select "Non-gallery application".
Give the application a name, e.g. k6 Cloud.
Click "Add".
When your application has successfully been added, click "Set up single sign on" (or the equivalent "Single sign-on" link in the left menu):
Click "SAML" to enable it:
Edit "Basic SAML Configuration":
Setting:
Property Value Identifier (Entity ID) https://api.k6.io/sso/acs/ Reply URL (Assertion Consumer Service URL) https://api.k6.io/sso/acs/ Logout Url https://app.k6.io/account/logout Resulting in:
Edit "User Attributes & Claims":
Setting the following user attributes (and clearing the "Namespace" property for each attribute):
Attribute Value Unique User Identifier user.userprincipalname user.email user.userprincipalname user.username user.userprincipalname user.first_name user.givenname user.last_name user.surname token An unique token that you'll be provided with by the k6 Cloud support team. Resulting in:
Copy the "App Federation Metadata Url" and send it to k6 Cloud support for completion of the setup.
Also, edit "SAML Signing Certificate" and set the "Signing option" to "Sign SAML response and assertion":
Before moving to the final step of testing the integration, make sure you've added the appropriate users and groups to the application in Azure AD:
Once you've gotten confirmation from k6 Cloud support that your account is ready we advise you to test the integration by clicking the "Test" button in Azure AD:
Setting up access to projects
With a completed integration between k6 Cloud and Azure AD your team members can Single Sign On to k6 Cloud via the Azure Portal. The next step is to setup project access permissions for team members in k6 Cloud, this doesn't happen automatically as part of account provisioning.
The steps to do this is as follows:
- Team members need to SSO into k6 Cloud first for account provisioning to happen.
- See our docs on adding team members for more information on how to setup access permissions to projects for team members.
Note: You must not invite team members through the k6 Cloud web app. Rather, as stated in 1) above, team members must SSO into k6 Cloud for account provisioning to happen.