Skip to main content

SAML & SCIM

This guide provides guidance on configuring Okta or Microsoft Azure for both SAML (Security Assertion Markup Language) and SCIM (System for Cross-domain Identity Management).

SAML

The entity ID is windmill

ACS Url is <instance_url>/api/saml/acs SCIM connector is <instance_url>/api/scim Application username format is Email

Instance Settings UI In the Instance Settings UI, pass the SAML Metadata URL (or content) containing the metadata URL (or XML content).

Okta

Configure Okta with the following settings (and replace cf.wimill.xyz with your domain):

Okta settings

Instance Settings UI In the Instance Settings UI, pass the SAML Metadata URL (or content) containing the metadata URL (or XML content).

Okta Metadata URL

Microsoft Azure

In the Azure portal, go to "Enterprise Applications" and create a new one of type "Non-gallery".

Azure Application

Azure Application

Once the application is created, in the application's page go to "Single sign-on" on the left menu, and click on the "SAML" button.

Azure SAML

Edit the configuration to set the Entity ID to windmill and the ACS url to <instance_url>/api/saml/acs.

Azure SAML

Azure SAML

Azure SAML metadata

Copy the App Federation Metadata URL and paste it in the Instance Settings UI.

Instance Settings UI

If for some reasons, the metadata URL cannot be used, you can copy the XML content and paste it in the field instead.

Once it's saved, you can test the login by clicking on the Test button at the bottom, then on the drawer Test sign in.

Azure SAML

SCIM

Okta

Configure Okta with the following settings (and replace cf.wimill.xyz with your domain):

Okta SCIM

Okta SCIM

Instance Settings UI In the Instance Settings UI, set the SCIM token containing the secret value that you will share to Okta.

Okta SCIM

Microsoft Azure

Create an application from the "Enterprise Applications" menu (see Configuring SAML with Microsoft Azure). Once the application is created, in the application's page go to "Provisioning" on the left menu, and click on the "Get started" button.

Azure SCIM

Choose the "Automatic" provisioning mode, and then for the Tenant URL, input the public URL of your Windmill server with the prefix /api/scim.

Azure SAML metadata

Copy the App Federation Metadata URL and paste it in the Instance Settings UI.

Instance Settings UI

In the Instance Settings UI, set the SCIM token containing the secret value that you will share to Azure. You can click "Test" in Windmill's Instance Settings UI to validate the SAML metadata URL/Content.

You can then click on the Test Connection button to validate Azure can connect to Windmill's SCIM endpoint. You can then choose to sync only the Users and Groups assigned to this application, or all users and groups. Note that if you choose the former, after you save, go to the application's page and click on the "Users and groups" button in the left menu bar. Only the users and groups present here will be synced to Windmill.

Azure SCIM

Once this is done, you can click on the Save button at the top left. Azure will now synchronize users and groups approximately every 40 minutes.

In Windmill

Once setup, the groups page should contain a new section:

New section SCIM