Skip to content

RS: SAML SSO #2498

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 21 commits into
base: main
Choose a base branch
from
Open

RS: SAML SSO #2498

wants to merge 21 commits into from

Conversation

@rrelledge
Copy link
Collaborator

@rrelledge rrelledge commented Dec 3, 2025

No description provided.

@rrelledge
DOC-5858 RS: Added SSO permissions to RS REST API reference
4ce39e1
@rrelledge
DOC-5858 RS: Added SSO requests and objects to RS REST API reference
b60236a
@rrelledge
DOC-5858 RS: Added more info about enforce_control_plane SSO to RS RE…
160f2d8 
…ST API reference
@rrelledge
DOC-5858 RS: Added SSO auth_method to user object in RS REST API refe…
3eba31d 
…rence
@rrelledge
DOC-5858 RS: Added SSO certs to RS REST API reference and certs list
362055b
@rrelledge
DOC-5858 RS: Initial draft of SAML SSO for RS
ac8a7b0
@rrelledge
Merge branch 'main' into DOC-5858
882a009
@rrelledge
DOC-5858 A few adjustments to RS SSO draft
2dd6182
@rrelledge
Merge branch 'main' into DOC-5858
f8a25b6
@rrelledge
DOC-5858 Added SSO setup steps for uploading SP cert and downloading …
2383733 
…SP metadata
@rrelledge
DOC-5858 More adjustments to SSO setup in RS
414e1f9
@rrelledge
DOC-5858 More adjustments to RS SSO setup
cc87205
@rrelledge
Merge branch 'main' into DOC-5858
9c00dd2
@rrelledge
DOC-5858 More RS SSO edits
a3587cb
@rrelledge
DOC-5858 Fixed in-page link in RS SSO
7a90e7d
@rrelledge
DOC-5858 Updated RS SSO REST API reference and examples
bc55bb6
@rrelledge
DOC-5858 Added test screenshot for RS SSO
aa32b99
@rrelledge
DOC-5858 Added screenshots for RS SSO
9bf3634
@rrelledge
DOC-5858 Added additional details/limitations for RS SSO
57e4478
@rrelledge rrelledge requested review from a team and yoavredis December 3, 2025 02:23
@rrelledge rrelledge self-assigned this Dec 3, 2025
@rrelledge rrelledge added do not merge yet rs Redis Enterprise Software labels Dec 3, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 3, 2025
edited by atlassian bot
Loading

DOC-5858

@github-actions
Copy link
Contributor

github-actions bot commented Dec 3, 2025

Staging links:
https://redis.io/docs/staging/DOC-5858/operate/rs/references/rest-api/objects/certificates/
https://redis.io/docs/staging/DOC-5858/operate/rs/references/rest-api/objects/sso/
https://redis.io/docs/staging/DOC-5858/operate/rs/references/rest-api/objects/user/
https://redis.io/docs/staging/DOC-5858/operate/rs/references/rest-api/permissions/
https://redis.io/docs/staging/DOC-5858/operate/rs/references/rest-api/requests/cluster/sso/
https://redis.io/docs/staging/DOC-5858/operate/rs/security/
https://redis.io/docs/staging/DOC-5858/operate/rs/security/access-control/create-users/
https://redis.io/docs/staging/DOC-5858/operate/rs/security/access-control/saml-sso
https://redis.io/docs/staging/DOC-5858/operate/rs/security/access-control/saml-sso/
https://redis.io/docs/staging/DOC-5858/operate/rs/security/certificates/

yoavredis
yoavredis reviewed Dec 3, 2025
View reviewed changes
content/operate/rs/references/rest-api/permissions.md Outdated
| <a name="db-member-role"></a>db_member | [create_bdb](#create_bdb), [create_crdb](#create_crdb), [delete_bdb](#delete_bdb), [delete_crdb](#delete_crdb), [edit_bdb_module](#edit_bdb_module), [failover_shard](#failover_shard), [flush_crdb](#flush_crdb), [migrate_shard](#migrate_shard), [purge_instance](#purge_instance), [reset_bdb_current_backup_status](#reset_bdb_current_backup_status), [reset_bdb_current_export_status](#reset_bdb_current_export_status), [reset_bdb_current_import_status](#reset_bdb_current_import_status), [start_bdb_export](#start_bdb_export), [start_bdb_import](#start_bdb_import), [start_bdb_recovery](#start_bdb_recovery), [update_bdb](#update_bdb), [update_bdb_alerts](#update_bdb_alerts), [update_bdb_with_action](#update_bdb_with_action), [update_crdb](#update_crdb), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_debugging_info](#view_debugging_info), [view_endpoint_stats](#view_endpoint_stats), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action) |
| <a name="db-viewer-role"></a>db_viewer | [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_endpoint_stats](#view_endpoint_stats), [view_license](#view_license), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action) |
| <a name="user-manager-role"></a>user_manager | [config_ldap](#config_ldap), [create_ldap_mapping](#create_ldap_mapping), [create_new_user](#create_new_user), [create_role](#create_role), [create_redis_acl](#create_redis_acl), [delete_ldap_mapping](#delete_ldap_mapping), [delete_redis_acl](#delete_redis_acl), [delete_role](#delete_role), [delete_user](#delete_user), [install_new_license](#install_new_license), [update_ldap_mapping](#update_ldap_mapping), [update_proxy](#update_proxy), [update_role](#update_role), [update_redis_acl](#update_redis_acl), [update_user](#update_user), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_ldap_mappings_info](#view_all_ldap_mappings_info), [view_all_nodes_alerts](view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_all_users_info](#view_all_users_info), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_keys](#view_cluster_keys), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_endpoint_stats](#view_endpoint_stats), [view_ldap_config](#view_ldap_config), [view_ldap_mapping_info](#view_ldap_mapping_info), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action), [view_user_info](#view_user_info)
| <a name="user-manager-role"></a>user_manager | [config_ldap](#config_ldap), [config_sso](#config_sso), [create_ldap_mapping](#create_ldap_mapping), [create_new_user](#create_new_user), [create_role](#create_role), [create_redis_acl](#create_redis_acl), [delete_ldap_mapping](#delete_ldap_mapping), [delete_redis_acl](#delete_redis_acl), [delete_role](#delete_role), [delete_user](#delete_user), [install_new_license](#install_new_license), [update_ldap_mapping](#update_ldap_mapping), [update_proxy](#update_proxy), [update_role](#update_role), [update_redis_acl](#update_redis_acl), [update_user](#update_user), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_ldap_mappings_info](#view_all_ldap_mappings_info), [view_all_nodes_alerts](view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_all_users_info](#view_all_users_info), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_keys](#view_cluster_keys), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_endpoint_stats](#view_endpoint_stats), [view_ldap_config](#view_ldap_config), [view_ldap_mapping_info](#view_ldap_mapping_info), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_sso](#view_sso), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action), [view_user_info](#view_user_info)
Copy link

@yoavredis yoavredis Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rrelledge the original requirement was that only Admin can config SSO. But this permission also appears under "user manager". I suggest to verify this with Eng.

Copy link

@avalov-r avalov-r Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"config_sso" is the permission that's required for changing/deleting any kind of SSO configuration

currently this permission is only assigned to the admin role, some time ago during initial implementation it was mistakenly added to the user manager but now it's removed from there

Copy link
Collaborator Author

@rrelledge rrelledge Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yoavredis @avalov-r Thanks for letting me know. I fixed the config_sso permissions so it's only mapped to admin now.

I also saw that view_sso is now mapped to:
admin, cluster_member, cluster_viewer, db_member, db_viewer, user_manager. Does that seem correct?

Copy link

@yoavredis yoavredis Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we need @avalov-r input here...
Alex - are these the correct view permissions?
(I hope not...)

Copy link

@avalov-r avalov-r Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yoavredis @rrelledge those are correct as per requirements - as we agreed each role that has access to the "Access Control" page should also be able to view the SSO page

Copy link

@yoavredis yoavredis Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@avalov-r yes, this is per the requirements. Thanks.

yoavredis
yoavredis reviewed Dec 3, 2025
View reviewed changes
content/operate/rs/security/access-control/saml-sso.md Outdated
---


Redis Enterprise Software supports both [IdP-initiated](#idp-initiated-sso) and [SP-initiated](#sp-initiated-sso) [single sign-on (SSO)](https://en.wikipedia.org/wiki/Single_sign-on) with [SAML (Security Assertion Markup Language)](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language) for the Cluster Manager UI.
Copy link

@yoavredis yoavredis Dec 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rrelledge need to mention that we're using SAML 2.0, which is the latest SAML version and an industry standard.
(no need to add "2.0" everywhere, just mention it here)

Copy link
Collaborator Author

@rrelledge rrelledge Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good, I added this info to this intro paragraph.

yoavredis
yoavredis requested changes Dec 3, 2025
View reviewed changes
Copy link

@yoavredis yoavredis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rrelledge it looks good :)
Left some comments.
10x

content/operate/rs/security/access-control/saml-sso.md

You can also initiate single sign-on from the Redis Enterprise Software Cluster Manager UI. This process is known as [service provider (SP)](https://en.wikipedia.org/wiki/Service_provider)-initiated single sign-on.

1. On the Redis Enterprise Software Cluster Manager UI's sign-in screen, enter the email address associated with the SAML user configured in your identity provider.
Copy link

@yoavredis yoavredis Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rrelledge I don't think that entering the email is necessary (originally it was required but no need for it). I think that the latest login page contains an "SSO" button, and the user doesn't have to enter the email.
Worth checking with Eng.

avalov-r
avalov-r reviewed Dec 3, 2025
View reviewed changes
avalov-r
avalov-r reviewed Dec 3, 2025
View reviewed changes
@avalov-r
Copy link

avalov-r commented Dec 3, 2025

@rrelledge
Could you also maybe document that it is possible to change the default SP address? This currently will not be possible through CM (@yoavredis correct me if wrong), but REST API supports this. This is crucial for K8 customers, as they most likely will need to change this.

Endpoint:
PUT /v1/cluster/sso
{
"service": {
"address": "http://something.com/"
}
}

Once this is changed, the metadata file and the SP login/logout URL and entity ID will change to reflect this new address, therefore this is a breaking change for existing SSO integrations.

andy-stark-redis
andy-stark-redis approved these changes Dec 3, 2025
View reviewed changes
Copy link
Contributor

@andy-stark-redis andy-stark-redis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Language LGTM.

Minor suggestion (if you have time and think it would help) is that maybe you could add an interactive or hidden checklist for the pages where you have steps to follow? (Example of this is here: https://redis.io/docs/latest/integrate/redis-data-integration/data-pipelines/prepare-dbs/my-sql-mariadb/) The interactive version might be helpful to human users, but even if you use the hidden form of the checklist, it helps AI agents to understand the intention of the page. Purely optional, though - I'm not suggesting that it makes sense to have these everywhere :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yoavredis yoavredis yoavredis requested changes

@andy-stark-redis andy-stark-redis andy-stark-redis approved these changes

+1 more reviewer

@avalov-r avalov-r avalov-r left review comments

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

@rrelledge rrelledge

Labels

do not merge yet rs Redis Enterprise Software

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@rrelledge @avalov-r @yoavredis @andy-stark-redis