# SAML Application Access Control This page explains how access to a SAML IdP service provider resource (SAML application) can be managed in Teleport. If you are new to the Teleport SAML IdP, start by learning how to configure [Teleport as an SAML IdP](https://goteleport.com/docs/identity-governance/idps/saml-guide.md). ## How it works User access to the SAML IdP service provider resource can be categorized into two different use cases: - **Managing a SAML IdP service provider resource.** For example, when a Teleport administrator attempts to create or update a SAML IdP service provider resource. - **Logging in to the SAML service provider.** For example, when a Teleport user attempts to log in to the SAML IdP service provider by authenticating with Teleport. In both the cases, access can be configured by using a Teleport role with an allow/deny rule targeting the `saml_idp_service_provider` resource and label matchers matching role `app_labels` with the `saml_idp_service_provider` resource labels. ## RBAC behavior between different Teleport role versions The Teleport SAML IdP applies different RBAC logic to the service provider resource in role version 8 versus role version 7 and below. In role version 7 and below, the following access controls are applied to the `saml_idp_service_provider` resource access: - Role option that enables the IdP: `spec.options.idp.saml.enabled: true/false`. - Cluster auth preference that enables the IdP: `spec.idp.saml.enabled: true/false`. - Resource rule `spec.allow/deny.rules.resources.saml_idp_service_provider`. Applicable only to admin actions. - Allow rules with `read,list` verbs are applied implicitly. - Deny rules with `read,list` verbs gets precedence over implicit allow. - Per session MFA: `spec.options.require_session_mfa: true/false`. Teleport role version 8 (released with Teleport version 18.0) introduced the following RBAC changes: - Label matchers based on `app_labels`. - Resource rule with verbs targeting `saml_idp_service_provider` is now applicable to both resource access and admin actions. - Device Trust for SAML IdP session. The role option `spec.options.idp.saml.enabled: true/false` is no longer supported starting role version 8. Per session MFA is supported in all role versions. ## RBAC precedence Users can be assigned with both the newer role (version 8) and the older versioned roles (version 7 and below) at the same time. If a user is assigned with both role version 7 and 8, deny rules of the version 8 takes precedence. For example, - If role version 7 denies access, access is denied. - If role version 7 allows access but role version 8 denies access, access is denied. - If role version 7 allows access but role version 8 does not explicitly allow access (via matching app labels), access is denied. - If role version 7 allows access and role version 8 also allows access, access is allowed. The table below shows a few more examples of applicable RBAC, when two roles with version 7 and 8 each are assigned to the user. | Role v7 | Role v8 | Result | | -------------------------------------- | -------------------------------------- | ------------------------------------------------------- | | | | ❌ no access. | | | | ❌ no access | | | | ❌ no access | | | | ✅ full access | | No version 7 role assigned to the user | | ✅ full access | | | | ✅ access to SAML app matching `env:dev` resource label | | | No version 8 role assigned to the user | ✅ full access | --- ADMIN ACTIONS `saml_idp_service_provider` resource does not yet support MFA and Device Trust for admin actions. --- ## Role examples Examples of Teleport role that grants permissions to either access or manage the SAML IdP service provider resource. ### Role to manage SAML IdP service provider resource In this case, the role needs to target `saml_idp_service_provider` resource with either `create,update,read,list,delete` or all of them as needed. The role should also grant access to the `app_labels` that matches with the resource label configured for the `saml_idp_service_provider` resource. `saml_idp_service_provider` resource access verb ``` kind: role version: v8 metadata: name: saml-resource-manager spec: allow: app_labels: 'env': 'dev' # This label must match with the saml_idp_service_provider resource label rules: - resources: - saml_idp_service_provider verbs: - read - list - create - update - delete ``` ### Role to allow users to log in to a SAML IdP service provider In this case, at minimum, user needs `read,list` access to the `saml_idp_service_provider` resource and must have an `app_labels` value matching with the resource label defined for the `saml_idp_service_provider` resource. Resource labels matching role `app_labels`. ``` kind: role version: v8 metadata: name: saml-access spec: allow: app_labels: 'env': 'dev' # This label must match with the saml_idp_service_provider resource label rules: - resources: - saml_idp_service_provider verbs: - read - list options: device_trust_mode: required require_session_mfa: true ``` ## Disabling SAML identity provider at cluster level To disable access to the identity provider at the cluster level, create or update the `cluster_auth_preference` object with the following setting: ``` kind: cluster_auth_preference metadata: name: cluster-auth-preference spec: ... idp: saml: enabled: false ... version: v2 ``` This will disable access to the SAML identity provider for all users regardless of their role level permissions.