SAML
The table below describes the list of actions performed on "IDP" using the RCTL CLI Utility.
| Resource | Create | Get | Update | Delete |
|---|---|---|---|---|
| IDP | YES | YES | YES | YES |
🔔 Default SAML Behavior
All Identity Provider (IdP) operations default to SAML unless an explicit
--authTypeflag is provided.This applies to: -
create idp-update idp-get idp-list idpDelete operations do NOT require the
--authTypeflag.If
--authTypeis not specified, the system automatically treats the request as a SAML operation.
Users are allowed to perform a focused automation approach for IDP integration.
Create Identity Provider¶
./rctl create idp <idp-name> <idp-type> <domain-name> <idp-admin-email> <group-attribute-name> --authType saml
Example
./rctl create idp samlidp okta dummydomain.co admin@dummydomain.co demogroup --authType saml
Output
Success Creating IDP with name: samlidp
********* IMPORTANT *********
PLEASE SAVE BELOW URL TO CONFIGURE IDP METADATA
-----------------------------
Assertion Consumer Service URL (ACS / SP Identity URL) :
https://qc-console.stage.rafay.dev/auth/v1/sso/acs/d0cf2cc4-03e5-486a-bd1c-f979e49a897e/
Group Attribute Statement Name:
demogroup
-----------------------------
********* NOTE *********
EMAIL FOR DOMAIN VERIFICATION FOR IDP HAS BEEN SENT TO admin@dummydomain.co.
PLEASE VERIFY DOMAIN FOR IDP TO ENABLE USERS TO LOGIN.
Create Using File Input¶
Sample saml_idp.yaml
name: samlidpwithfile
description: create saml idp using yaml file via rctl
domain: samlidpwithfile.com
idp_admin: admin@samlidpwithfile.com
idp_name: okta
group_attribute_name: group
webhook_secret: dummysecret
webhook_trigger_type: NONE
webhook_url: https://webhook.site/9454e0fa-3f79-491f-b211-fd4a1e91d70f
webhook_payload:
custom:
k1: v1
k2: v2
optional:
- first_name
is_sae_enabled: true
requested_auth_context: true
Command
./rctl create idp -f ./saml_idp.yaml
Output
Success Creating IDP with name: samlidpwithfile
********* IMPORTANT *********
PLEASE SAVE BELOW URL TO CONFIGURE IDP METADATA
-----------------------------
Assertion Consumer Service URL (ACS / SP Identity URL) :
https://qc-console.stage.rafay.dev/auth/v1/sso/acs/13ece491-888b-4f93-9a5f-29159f61da8d/
Encryption Certificate content:
-----BEGIN CERTIFICATE-----
<certificate content>
-----END CERTIFICATE-----
Group Attribute Statement Name:
group
-----------------------------
********* NOTE *********
EMAIL FOR DOMAIN VERIFICATION FOR IDP HAS BEEN SENT TO admin@samlidpwithfile.com.
PLEASE VERIFY DOMAIN FOR IDP TO ENABLE USERS TO LOGIN.
Errors¶
- If IdP with the same name is created
Error: server error: IdP with the same name already exists
- If IdP with the same domain already exists
Error: server error: IdP with given configuration already exists
- If IdP’s domain and admin email do not match
Error: server error [return code: 400]: "IdP admin's email domain does not match the provided domain"
Get Identity Provider¶
🔔 Default Lookup Order for Get IdP
When running
rctl get idp <name>without--authType:
- The system first searches for a SAML IdP with the given name.
- If not found, it then searches for an OIDC IdP.
- If neither exists, an error is returned.
To explicitly retrieve an OIDC IdP,
--authType oidcmust be specified.
- Get a Specific IdP
./rctl get idp samlidp
Output
Idp Name: samlidp
Idp type: okta
Domain Name: dummydomain.co
Domain Verified: false
Encryption Status: true
Group Attribute Name: group
- Get a Specific IdP in YAML Format
./rctl get idp samlidp -o yaml
**
Idp Name: samlidp
Idp type: okta
Domain Name: dummydomain.co
Domain Verified: false
Encryption Status: true
Group Attribute Name: group
- Get a Specific IdP with Detailed Output (YAML)
./rctl get idp samlidp -o yaml --detailed --authType saml
Output
count: 1
next: null
previous: null
results:
- id: 5miyym
name: samlidp
idp_name: okta
idp_admin: admin@dummydomain.co
domain: dummydomain.co
domain_verified: false
acs_url: https://qc-console.stage.rafay.dev/auth/v1/sso/acs/d0cf2cc4-03e5-486a-bd1c-f979e49a897e/
metadata_filename: metadataFilename.xml
is_sae_enabled: true
group_attribute_name: group
organization_id: 7w2inkp
partner_id: k7280n
created_at: 2026-01-12T08:28:26.451329Z
modified_at: 2026-01-12T10:12:03.974575Z
requested_auth_context: true
webhook_url: https://webhook.site/9454e0fa-3f79-491f-b211-fd4a1e91d70f
webhook_payload:
custom:
k1: v1
k2: v2
op: file update
optional:
- first_name
- last_name
webhook_trigger_type: NONE
webhook_secret: dummysecret
description: update saml idp using yaml file via rctl
List Identity Providers¶
- List IdPs (All Auth Types)
Lists the first 10 IdPs ordered by
modified_attime.
./rctl get idp --authType all
Output
| NAME | IDP NAME | DOMAIN | GROUP ATTRIBUTE NAME | DOMAIN VERIFIED | ENCRYPTION STATUS | AUTH TYPE |
|--------------------|----------|---------------------------|----------------------|-----------------|-------------------|-----------|
| samlidp | okta | dummydomain.co | group | unverified | enabled | saml |
| demoidpfilekeycloak| keycloak | dummydomainkeycloak.co | demogroupsfile | unverified | disabled | oidc |
| demo-keycloakoidc | keycloak | mycompany.com | group | unverified | disabled | oidc |
| samlidpwithfile | okta | samlidpwithfile.com | group | unverified | enabled | saml |
| OKTA-test1 | okta | denipl.com | groups | verified | disabled | oidc |
| samlencryptiontest1| okta | mazun.org | group | verified | disabled | saml |
| oktaintegration | okta | okta.rafay.com | rafaysuperadmins | unverified | enabled | saml |
| x | okta | mycompany.com | qc-groups-2 | unverified | disabled | saml |
| phani-oidc-1231205 | ping | clowmail.com | grp-12312025 | verified | disabled | oidc |
| phani-oidc-1230 | okta | givmail.com | grp-1230 | verified | disabled | oidc |
- List SAML IdPs Only
Lists the first 10 SAML IdPs ordered by
modified_attime.
./rctl get idp --authType saml
Output
Idp Name Idp Type Domain Name Domain Verified Encryption Status Group Attribute Name
samlidp okta dummydomain.co false true group
samlidpwithfile okta samlidpwithfile.com false true group
samlencryptiontest1 okta mazun.org true false group
oktaintegration okta okta.rafay.com false true rafaysuperadmins
x okta mycompany.com false false qc-groups-2
samlidpwithwebhook okta samlidpwithwebhook.com false false group
demosamlidp okta dummydomain.co false false demogroup
Test-okta-vr-1 okta nctime.com true false group
phani-qc-0406 okta 684h.com true true group
phani-rctl-2 okta mycompany2.com false true groups
- List SAML IdPs with Detailed YAML Output
Lists the first 10 SAML IdPs ordered by
modified_attime with detailed output.
./rctl get idp --authType saml --detailed -o yaml
Output
count: 52
next: https://qc-console.stage.rafay.dev/auth/v1/sso/idp/?limit=10&offset=10
previous: null
results:
- id: 5m1jymy
name: samlidp
idp_name: okta
idp_admin: admin@dummydomain.co
domain: dummydomain.co
domain_verified: false
acs_url: https://qc-console.stage.rafay.dev/auth/v1/sso/acs/d0cf2cc4-03e5-486a-bd1c-f979e49a897e/
metadata_filename: metadataFilename.xml
is_sae_enabled: true
group_attribute_name: group
organization_id: 7w2lnkp
partner_id: rx28om1
created_at: 2026-01-12T08:28:26.451329Z
modified_at: 2026-01-12T10:12:03.974575Z
requested_auth_context: true
webhook_url: https://webhook.site/9454e0fa-3f79-491f-b211-fd4a1e91d70f
webhook_payload:
custom:
k1: v1
k2: v2
op: file update
optional:
- first_name
- last_name
webhook_trigger_type: NONE
webhook_secret: dummysecret
description: update saml idp using yaml file via rctl
- id: z2450my
name: samlidpwithfile
idp_name: okta
idp_admin: admin@samlidpwithfile.com
domain: samlidpwithfile.com
domain_verified: false
acs_url: https://qc-console.stage.rafay.dev/auth/v1/sso/acs/13ece491-888b-4f93-9a5f-29159f61da8d/
Update Identity Provider¶
If the IdP configuration does not exist¶
./rctl update idp dummyidp https://idpMetadataURL
Output
Error: idp dummyidp does not exist
Update metadata URL¶
./rctl update idp samlidp https://keycloak.qasimplified.com:8443/realms/master/protocol/saml/descriptor
Output
Success UPDATING IDP metadata config with name: samlidp
Upload metadata file¶
./rctl update idp samlidp upload ./metadataFilename.xml
Output
Success UPDATING IDP file: Updated for samlidp
Update group attribute name¶
./rctl update idp samlidp okta dummydomain.co newgroupname --desc "Updated SAML IdP via RCTL" --es --reqAuthCtx --authType saml
Output
Success UPDATING IDP configuration
Update webhook configuration¶
./rctl update idp samlidp \
--groupAttributeName groups \
--webhookSecret secret \
--webhookURL https://webhookurl.com \
--webhookPayload '{
"custom": {
"k1": "v1",
"k2": "v2"
},
"optional": [
"first_name",
"last_name",
"trigger_type"
]
}' --authType saml --no-reqAuthCtx
Output
Success UPDATING IDP configuration
Update using file input¶
Sample saml_idp.yaml
name: samlidp
description: update saml idp using yaml file via rctl
domain: dummydomain.co
idp_admin: admin@dummydomain.co
idp_name: okta
group_attribute_name: group
webhook_secret: dummysecret
webhook_trigger_type: NONE
webhook_url: https://webhook.site/9454e0fa-3f79-491f-b211-fd4a1e91d70f
webhook_payload:
custom:
k1: v1
k2: v2
op: file update
optional:
- first_name
- last_name
is_sae_enabled: true
requested_auth_context: true
./rctl update idp -f ./saml_idp.yaml
Output
Success UPDATING IDP configuration
Delete Identity Provider¶
Use the below commands to delete the Identity Providers
Listed Deletion¶
./rctl delete idp name1, name2, name3
Single Deletion¶
./rctl delete idp <idp-name>
Example
./rctl delete idp demo-idp
Output
Success deleting idp config: demo-idp