SAML Single Sign-On (SSO)¶

Edition note: SAML SSO is a commercial feature. The community edition supports only local user authentication.

Overview¶

Faraday supports SAML 2.0 for single sign-on integration with external identity providers (IdPs). This enables centralized authentication through your organization's existing identity infrastructure.

Key Characteristics¶

Feature	Detail
Protocol	SAML 2.0
Local user coexistence	Yes — SAML and local users can coexist
LDAP coexistence	No — SAML and LDAP are mutually exclusive
API token support	Yes — SSO users can obtain JWT tokens after login
Configuration methods	CLI (`faraday-manage`) or Web UI (Preferences)
Server restart	Required after configuration changes
User type in database	`saml` (via `user_type` enum)

Supported Identity Providers¶

Provider	Guide
Auth0	auth0
Google Workspace	google
Okta	okta
Microsoft Entra ID (Azure AD)	azure-ad

Any SAML 2.0-compliant IdP can be configured using the generic settings below.

SAML Endpoints¶

Faraday exposes four SAML endpoints. All IdP configurations reference these URLs using your Faraday server's domain.

Endpoint	URL	Purpose
ACS (Assertion Consumer Service)	`https://<domain>/_api/saml/acs`	Receives SAML assertions from the IdP
Login	`https://<domain>/_api/saml/login`	Initiates SAML SSO login flow
Logout	`https://<domain>/_api/saml/logout`	Single logout
Metadata	`https://<domain>/_api/saml/metadata.xml`	SP metadata for IdP configuration

Replace <domain> with your Faraday server's fully qualified domain name (e.g., faraday.example.com).

Configuration¶

Via Command Line¶

faraday-manage settings -a update saml

Interactive prompts:

$ faraday-manage settings -a update saml
Update settings for: saml
enabled [False]:
display_name [Identity Provider]:
user_role [admin]:
admin_group []:
attribute_identifier []:
sso_url [http://localhost/saml/login]:
sp_certificate []:
sp_private_key []:
idp_certificate []:
Do you confirm your changes on saml?
[Y/n]:

Via Web UI¶

Navigate to User menu (top-right) → Preferences → Authentication → SAML and configure the settings through the graphical interface.

Restart Required¶

After any SAML configuration change, restart the server:

systemctl restart faraday-server

Settings Reference¶

General Settings¶

Setting	Default	Description
`enabled`	`False`	Enable or disable SAML SSO
`display_name`	`Identity Provider`	Label shown on the Faraday login page for the SSO button

Identity Provider Settings¶

Setting	Default	Description
`sso_url`	`http://localhost/saml/login`	IdP Single Sign-On URL — the login endpoint provided by your IdP
`idp_certificate`	(empty)	IdP X.509 signing certificate in PEM format

User & Role Settings¶

Setting	Default	Description
`user_role`	`admin`	Default Faraday role assigned to new SAML users. Valid values: `admin`, `pentester`, `asset_owner`, `client`
`admin_group`	(empty)	SAML group/role attribute value that maps to the Faraday `admin` role
`attribute_identifier`	(empty)	SAML assertion attribute used as the username in Faraday (e.g., `email`, `username`, `NameID`)

Service Provider Certificate Settings¶

Setting	Default	Description
`sp_certificate`	(empty)	SP X.509 certificate in PEM format (public key)
`sp_private_key`	(empty)	SP private key in PEM format

Generating SP Certificates¶

Each Faraday instance requires its own Service Provider certificate/key pair for signing SAML requests. Generate a self-signed certificate:

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 1825 -out certificate.pem

This produces:

certificate.pem → paste contents into SP Certificate setting
key.pem → paste contents into SP Private Key setting

Tip: The -days 1825 flag creates a 5-year certificate. Adjust as needed by your organization's security policy.

When pasting certificate contents into the CLI or UI, include the full PEM block including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- delimiters.

Authentication Flow¶

    ┌───────────┐     ┌──────────────┐     ┌───────────────┐
    │  Browser  │     │   Faraday    │     │  Identity     │
    │  (User)   │     │   Server     │     │  Provider     │
    └─────┬─────┘     └──────┬───────┘     └───────┬───────┘
          │                  │                     │
          │  1. Click SSO    │                     │
          │  login button    │                     │
          ├─────────────────►│                     │
          │                  │                     │
          │  2. SAML AuthnRequest                  │
          │◄─────────────────┤  (redirect to IdP)  │
          │─────────────────────────────────────────►
          │                  │                     │
          │  3. User authenticates at IdP          │
          │◄────────────────────────────────────────
          │                  │                     │
          │  4. SAML Assertion (POST to ACS)       │
          ├─────────────────►│                     │
          │                  │                     │
          │  5. Validate     │                     │
          │  assertion,      │                     │
          │  create/update   │                     │
          │  user session    │                     │
          │                  │                     │
          │  6. Redirect to  │                     │
          │  Faraday UI      │                     │
          │◄─────────────────┤                     │
          │                  │                     │

User clicks the SSO login button (labeled with display_name) on the Faraday login page.
Faraday redirects to the IdP's sso_url with a SAML AuthnRequest.
User authenticates at the IdP (credentials, MFA, etc.).
IdP posts a signed SAML assertion back to Faraday's ACS endpoint.
Faraday validates the assertion signature using the idp_certificate, extracts the username from attribute_identifier, and creates or updates the user with user_type = 'saml'.
User is redirected to the Faraday web interface with an active session.

Role Assignment¶

Default Role¶

All new SAML users receive the role specified in user_role (default: admin).

Security recommendation: Change the default user_role to pentester or a lower-privilege role and use admin_group for explicit admin assignment.

Admin Group Mapping¶

When admin_group is configured, Faraday checks the SAML assertion for a matching group/role attribute. Users whose assertion includes this group value are assigned the admin role; others receive the user_role default.

Available Roles¶

Role	Description
`admin`	Full access — manage workspaces, users, settings
`pentester`	Create/edit vulnerabilities, run tools, manage findings
`asset_owner`	View vulnerabilities, manage assets
`client`	Read-only access to assigned workspaces

SAML + API Tokens¶

SAML-authenticated users can obtain API tokens for programmatic access:

User completes SAML SSO login flow
After successful assertion, Faraday creates a session
User calls GET /_api/v3/token to obtain a JWT
JWT is used for subsequent API calls via Authorization: Token <jwt>

This enables automated workflows (CI/CD, scripts) even when primary authentication is via SSO.

SAML + Local Users¶

Unlike LDAP, SAML coexists with local user accounts. Both authentication methods work simultaneously:

Local users log in with username/password
SAML users click the SSO button and authenticate via the IdP

This is useful for maintaining a local admin account as a fallback.

Troubleshooting¶

Symptom	Likely Cause	Solution
SSO button not visible on login page	SAML not enabled or server not restarted	Set `enabled = True` and run `systemctl restart faraday-server`
404 on SAML callback	Incorrect ACS URL configured in IdP	Verify URL is exactly `https://<domain>/_api/saml/acs`
"Invalid signature" error	Certificate mismatch	Re-download the IdP certificate and paste the full PEM block
User created with wrong role	`user_role` misconfigured	Update `user_role` setting; existing users retain their current role
SAML + LDAP conflict	Both enabled simultaneously	Disable one — SAML and LDAP are mutually exclusive
Login loop (redirects back to IdP)	`attribute_identifier` not matching assertion	Check IdP attribute mapping; use the attribute name that contains the user identifier
Certificate expired	SP certificate past expiration	Regenerate SP certificate and update both Faraday and IdP configuration
CORS errors in browser	Missing CORS/Web Origins in IdP	Add `https://<domain>/` to allowed origins in IdP settings

Verifying SAML Configuration¶

To check current SAML settings:

faraday-manage settings -a show saml

To reset SAML configuration:

faraday-manage settings -a update saml
# Set enabled to False, confirm changes
systemctl restart faraday-server