Unable to protect kubernetes services with `saml-proxy`

[morarucostel]

Hello,

My scenario is the following:

• I have a K8s cluster with a nginx ingress controller, which exposes some services (throught ingress definition) and I want to secure them using saml-proxy.
• the saml-proxy is desployed inside the cluster and exposed to public (accessible) through ingress definitions too (through https://my_domain/saml). Hitting this endpoint will take it though ingress-> k8s service->saml-proxy pod
• the config.yaml looks similar like this

    hosts:
      - service_root_url: https://my_domain/saml
        allow_idp_initiated: true
        idp_metadata_url: https://samltest.id/saml/idp
        targets:
          - http://k8s_svc_that_needs_protection.namespace.svc.cluster.local/mypage

• my services that I need to protect are being protected and exposed with (snippet from below), basically saying that the authentication endpoint is the saml-proxy service:

kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/app-root: /mypage
    ingress.kubernetes.io/auth-url: http://saml-proxy-deployment.namespace.svc.cluster.local/auth

The problem I have is that the calls are ending-up in the proxy-saml pod with the host saml-proxy-deployment.namespace.svc.cluster.local and they are not being picked as comming from my_domain and thus are not serviced (are returned with 404-not found)

Can you please help/support and have any examples with the deployment in a k8s service with nginx?

[dustin-decker]

Sorry for the delay. I think your Ingress needs a host rule pointing to the saml-proxy service for each host that you want to use it.

See https://kubernetes.io/docs/concepts/services-networking/ingress/#name-based-virtual-hosting for examples.