Skip to content


In addition to managing users, groups and roles locally in the Rafay Org (Tenant), system admins can also optionally integrate Rafay with their corporate Identity Provider (IDP) via SAML 2.0.

The SSO based login process validates the user's credentials against the corporate user directory typically managed by your Identity Provider (IdP). A successful validation ensures that users can log on to Rafay Console without the need for a separate login.

Rafay's integration with SAML 2.0 IdP's support both IdP and SP Initiated flows.


Only privileged users with the System Admin role are authorized to view, configure and manage this setting.

How SSO Works

Rafay supports SSO by implementing federated authentication using Security Assertion Markup Language (SAML) version 2.0.

To enable SSO, a system administrator (highest privilege in the Org) must configure Rafay to work with their Identity Provider (IdP). The IdP maintains a record of all usernames and their passwords in an encrypted format.

However, if you use a preconfigured IdP or if this is a subsequent login, Rafay uses SAML assertions in an HTTP POST profile to communicate with your IdP.

For every login attempt, the Rafay Console sends SAML requests to the configured IdP login URL. The IdP validates the SAML request and sends a SAML assertion back to the Rafay Console.

Access Flow with IdP

User Experience with SSO

Once the user enters their email address in the Rafay Console's authentication window, the Controller automatically determines whether Single Sign On (SSO) is configured or not.

Local Authentication

The user experience when SSO is configured/required for the user. Authentication is performed by the Identity Provider (IdP).

User Experience without SSO

SSO based Authentication

The user experience when SSO is not configured and authentication is performed locally by the Rafay Controller. User Experience without SSO


End users accessing the Rafay Controller using SSO cannot access the Rafay Controller using API Keys and Secrets.

Supported NameID Formats

Ensure that you use the "email address" for the SAML 2.0 NameID in your IdP.

Supported IdPs

The Rafay Console can be integrated with any SAML 2.0 compliant IdP. The table below describes the type of support for the ecosystem of IdPs.

Type Description
Certified A certified IdP is fully tested by Rafay's QA team. Rafay certifies these IdPs and performs regular testing with every release to ensure the SSO functionality works as expected
Supported A supported IdP is not tested by the Rafay QA team with every release. However, the SSO functionality should work as expected and Rafay will provide support for such IdPs

Certified IdPs

Supported IdPs

  • Any IdP that supports the SAML 2.0 protocol


Please contact Rafay Support for assistance with configuration of an IdP not listed under Certified IdPs.

IdP Metadata

Some Identity Providers (IdP) do not support the convenience of an IdP metadata URL for a streamlined initial configuration. For these situations, Rafay provides the option for administrators to upload the "IdP metadata XML file".

IdP Metadata

IdP Users

Administrators can view the list of users that have accessed the Rafay Console using Single Sign On (SSO).

IdP Users