pulumi-hugo-cn/themes/default/content/docs/pulumi-cloud/self-hosted/saml-sso.md

---
title_tag: "Enable SAML SSO for Self-hosted Environments"
meta_desc: Learn how to make the self-hosted Pulumi ready for SAML SSO with any IdP. Self-hosting is available as part of the Enterprise Edition.
title: SAML SSO
h1: SAML SSO for self-hosted Pulumi Cloud
meta_image: /images/docs/meta-images/docs-meta.png
menu:
    pulumicloud:
        parent: self-hosted
        weight: 2
aliases:
  - /docs/guides/self-hosted/saml-sso/
---

The self-hosted option allows you to control various aspects of the Pulumi Cloud including how users will sign in to the [Pulumi Cloud](/docs/pulumi-cloud/self-hosted/components/console/).

## Creating The Keys

Before you can use SAML SSO to logon to the Console, you will need to ensure that the [API service](/docs/pulumi-cloud/self-hosted/components/api/) has a pair of keys that will be used to sign
and validate requests/responses, regardless of the IdP you choose to use.

The credentials are a public/private key pair that are supplied as environment variables to the API service.
In the following snippets, we show you how you can generate a key pair by using `openssl`.
The snippet shows the command for a self-hosted API service that is accessible via `api.company.com`.
Be sure to adjust the value accordingly.

> OpenSSL's official [wiki](https://wiki.openssl.org/index.php/Binaries) site contains links to pre-built binaries.

```
# Generate a new 2048-bit RSA key with a validity of 365 days.
openssl \
  req -x509 -newkey rsa:2048 \
  -days 365 -nodes -subj "/CN=api.company.com" \
  -keyout cert.key \
  -out cert.cert
```

If you also want to additionally specify an SAN (Subject Alternative Name) for your public cert, you can do so by passing the `-addext` flag as shown below.

> For this to work, though, you'll need to install _at least_ version 1.1. Once installed ensure that the 1.1 version is on your path when you run the command.
> Otherwise `-addext` will not be recognized as a valid flag.

```
openssl \
  req -x509 -newkey rsa:2048 \
  -days 365 -nodes -subj "/CN=api.company.com" \
  -keyout cert.key \
  -addext "subjectAltName=DNS:anotherdomain.company.com" \
  -out cert.cert
```

## Configure The API Service

Once the key pair has been generated, set the value of the following environment variables for the API service:

`SAML_CERTIFICATE_PUBLIC_KEY` should be set to the value of the `cert.cert` file, i.e. the public key file.
`SAML_CERTIFICATE_PRIVATE_KEY` should be set to the value of the `cert.key` file, i.e. the private key file.

For these values to take effect, you will need to restart the API Service.

> Restart the service only during a planned maintenance window.

## Enabling SAML SSO as an identity option

By default, the SAML SSO signin/signup option is not displayed to end users of the Console service.
To enable this, set the `SAML_SSO_ENABLED` environment variable for the [console](/docs/pulumi-cloud/self-hosted/components/console/) container to `true`
and restart the service.
Add doc for configuring SAML SSO with self-hosted installations (#3835) The new page describes the steps for generating an RSA key-pair used by the self-hosted install for validating SAML assertions. 2020-07-31 08:35:52 -07:00			`---`
Docs PLO adjustments for SEO (#2967) 2023-06-02 21:41:36 -07:00			`title_tag: "Enable SAML SSO for Self-hosted Environments"`
Add doc for configuring SAML SSO with self-hosted installations (#3835) The new page describes the steps for generating an RSA key-pair used by the self-hosted install for validating SAML assertions. 2020-07-31 08:35:52 -07:00			`meta_desc: Learn how to make the self-hosted Pulumi ready for SAML SSO with any IdP. Self-hosting is available as part of the Enterprise Edition.`
reorg docs nav + add cloud pages (#2769) 2023-05-15 15:25:28 -07:00			`title: SAML SSO`
			`h1: SAML SSO for self-hosted Pulumi Cloud`
add meta imgs for docs (#3018) 2023-06-08 16:15:52 -07:00			`meta_image: /images/docs/meta-images/docs-meta.png`
reorg docs nav + add cloud pages (#2769) 2023-05-15 15:25:28 -07:00			`menu:`
			`pulumicloud:`
			`parent: self-hosted`
			`weight: 2`
fix aliases property in front matter (#2879) 2023-05-18 16:37:26 -07:00			`aliases:`
			`- /docs/guides/self-hosted/saml-sso/`
Add doc for configuring SAML SSO with self-hosted installations (#3835) The new page describes the steps for generating an RSA key-pair used by the self-hosted install for validating SAML assertions. 2020-07-31 08:35:52 -07:00			`---`

reorg docs nav + add cloud pages (#2769) 2023-05-15 15:25:28 -07:00			`The self-hosted option allows you to control various aspects of the Pulumi Cloud including how users will sign in to the [Pulumi Cloud](/docs/pulumi-cloud/self-hosted/components/console/).`
Add doc for configuring SAML SSO with self-hosted installations (#3835) The new page describes the steps for generating an RSA key-pair used by the self-hosted install for validating SAML assertions. 2020-07-31 08:35:52 -07:00
			`## Creating The Keys`

reorg docs nav + add cloud pages (#2769) 2023-05-15 15:25:28 -07:00			`Before you can use SAML SSO to logon to the Console, you will need to ensure that the [API service](/docs/pulumi-cloud/self-hosted/components/api/) has a pair of keys that will be used to sign`
Add doc for configuring SAML SSO with self-hosted installations (#3835) The new page describes the steps for generating an RSA key-pair used by the self-hosted install for validating SAML assertions. 2020-07-31 08:35:52 -07:00			`and validate requests/responses, regardless of the IdP you choose to use.`

remove some simplys (#1807) 2022-08-09 12:32:12 -07:00			`The credentials are a public/private key pair that are supplied as environment variables to the API service.`
Add doc for configuring SAML SSO with self-hosted installations (#3835) The new page describes the steps for generating an RSA key-pair used by the self-hosted install for validating SAML assertions. 2020-07-31 08:35:52 -07:00			In the following snippets, we show you how you can generate a key pair by using `openssl`.
			The snippet shows the command for a self-hosted API service that is accessible via `api.company.com`.
			`Be sure to adjust the value accordingly.`

			`> OpenSSL's official [wiki](https://wiki.openssl.org/index.php/Binaries) site contains links to pre-built binaries.`

			```
			`# Generate a new 2048-bit RSA key with a validity of 365 days.`
			`openssl \`
			`req -x509 -newkey rsa:2048 \`
			`-days 365 -nodes -subj "/CN=api.company.com" \`
			`-keyout cert.key \`
			`-out cert.cert`
			```

			If you also want to additionally specify an SAN (Subject Alternative Name) for your public cert, you can do so by passing the `-addext` flag as shown below.

			`> For this to work, though, you'll need to install _at least_ version 1.1. Once installed ensure that the 1.1 version is on your path when you run the command.`
			> Otherwise `-addext` will not be recognized as a valid flag.

			```
			`openssl \`
			`req -x509 -newkey rsa:2048 \`
			`-days 365 -nodes -subj "/CN=api.company.com" \`
			`-keyout cert.key \`
			`-addext "subjectAltName=DNS:anotherdomain.company.com" \`
			`-out cert.cert`
			```

			`## Configure The API Service`

			`Once the key pair has been generated, set the value of the following environment variables for the API service:`

			`SAML_CERTIFICATE_PUBLIC_KEY` should be set to the value of the `cert.cert` file, i.e. the public key file.
			`SAML_CERTIFICATE_PRIVATE_KEY` should be set to the value of the `cert.key` file, i.e. the private key file.

			`For these values to take effect, you will need to restart the API Service.`

			`> Restart the service only during a planned maintenance window.`
Document SAML_SSO_ENABLED for self-hosted Pulumi Service (#5102) * Document SAML_SSO_ENABLED for self-hosted Pulumi Service. * Update content/docs/guides/self-hosted/saml-sso.md Co-authored-by: David Wrede <d_wrede@yahoo.com> Co-authored-by: David Wrede <d_wrede@yahoo.com> 2021-02-01 22:41:05 -08:00
			`## Enabling SAML SSO as an identity option`

			`By default, the SAML SSO signin/signup option is not displayed to end users of the Console service.`
reorg docs nav + add cloud pages (#2769) 2023-05-15 15:25:28 -07:00			To enable this, set the `SAML_SSO_ENABLED` environment variable for the [console](/docs/pulumi-cloud/self-hosted/components/console/) container to `true`
Document SAML_SSO_ENABLED for self-hosted Pulumi Service (#5102) * Document SAML_SSO_ENABLED for self-hosted Pulumi Service. * Update content/docs/guides/self-hosted/saml-sso.md Co-authored-by: David Wrede <d_wrede@yahoo.com> Co-authored-by: David Wrede <d_wrede@yahoo.com> 2021-02-01 22:41:05 -08:00			`and restart the service.`