Chef Ideas

We believe that the best way to build software is to do it in close collaboration with the people who use it. We invite you to submit your ideas using the form below. Please be sure to include the problem for which you are solving and the benefits of implementing the idea.

We do our best to implement as many Ideas as we can. Our Product team will evaluate all submitted ideas in a timely manner and will disposition each into one of the following categories: will integrate into the product roadmap, further research is needed, unlikely to implement.

Thanks for collaborating with us!

Allow for IdP-initiated SAML Authentication

Currently it seems like SP-initiated SAML Auth is the sole means by which one can initiate a SAML-based login request. Should the user attempt to login to Chef Automate directly from their IdP the authentication request will not succeed.

It would be ideal if both SP and IdP-initiated auth flows worked.

  • Austin Culter
  • Jul 21 2021
  • Currently Declined
  • Attach files
  • Guest commented
    22 Sep 09:33am

    To be clear what this idea is trying to achieve (for those that don't know the terms)

    SP = Service provider (in our case A2)

    IdP = Identity provider (Okta, OneLogin, Ping, AzureAD, O365 etc)


    SP initiated logon

    • User visits the A2 logon screen

    • A2 sees the user is not authenticated and redirects the browser to the IdP

    • IdP authenticates the user and issues a signed security assertion containing userid, groups, email address etc

    • IdP redirects the browser back to the A2 ACS (Assertion Consumer Service)

    • The A2 ACS uses the assertion to apply the correct access rights for the user


    IdP initiated logon

    • User signs on directly to the IdP

    • User selects A2 from the applications menu

    • IdP issues a signed security assertion containing userid, groups, email address etc

    • IdP redirects the browser back to the A2 ACS (Assertion Consumer Service)

    • The A2 ACS uses the assertion to apply the correct access rights for the user


    Currently for an IdP initiated logon, the process fails at the last step because A2 isn't expecting an incoming assertion for our user. To fix this I think we just need to create a session on the fly and then process the assertion in the normal way.

  • Admin
    Ankur Mundhra commented
    2 Aug 06:27am

    Sure, I am parking it for future consideration.

  • Austin Culter commented
    26 Jul 01:09pm

    It doesn't matter which IdP I am using as the underlying issue exists for all IdP's AFAIK.

  • Admin
    Ankur Mundhra commented
    26 Jul 12:38pm

    Hey Austin,


    May I know which IdP are you trying with? List of currently supported IdPs is at https://docs.chef.io/automate/saml/#supported-identity-management-systems.

  • +2