Skip to main content

Edge Route SAML Module

Replace HTTPS Edge Route SAML Module

Request

PUT /edges/https/{edge_id}/routes/{id}/saml

Example Request

curl \
-X PUT \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"enabled":true,"idp_metadata":"\n<EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"2020-09-14T12:53:23.691Z\" cacheDuration=\"PT1M\" entityID=\"http://127.0.0.1:12345/metadata\"><IDPSSODescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat><SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://127.0.0.1:12345/sso\"></SingleSignOnService><SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://127.0.0.1:12345/sso\"></SingleSignOnService></IDPSSODescriptor></EntityDescriptor>\n"}' \
https://api.ngrok.com/edges/https/edghts_2k5okgQEQlpu9SjQC6ugIxNODbj/routes/edghtsrt_2k5okhd5Q8twPUsYok5lHkZs8N2/saml

Parameters

NameTypeDescription
enabledbooleantrue if the module will be applied to traffic, false to disable. default true if unspecified
options_passthroughbooleanDo not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefixstringthe prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeoutuint32Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_durationuint32Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
idp_metadatastringThe full XML IdP EntityDescriptor. Your IdP may provide this to you as a a file to download or as a URL.
force_authnbooleanIf true, indicates that whenever we redirect a user to the IdP for authentication that the IdP must prompt the user for authentication credentials even if the user already has a valid session with the IdP.
allow_idp_initiatedbooleanIf true, the IdP may initiate a login directly (e.g. the user does not need to visit the endpoint first and then be redirected). The IdP should set the RelayState parameter to the target URL of the resource they want the user to be redirected to after the SAML login assertion has been processed.
authorized_groupsList<string>If present, only users who are a member of one of the listed groups may access the target endpoint.
nameid_formatstringDefines the name identifier format the SP expects the IdP to use in its assertions to identify subjects. If unspecified, a default value of urn:oasis:names:tc:SAML:2.0:nameid-format:persistent will be used. A subset of the allowed values enumerated by the SAML specification are supported.

Response

Returns a 200 response on success

Example Response

{
"allow_idp_initiated": true,
"assertion_consumer_service_url": "https://idp.local-ngrok.com/saml/edghtsrt_2k5okhd5Q8twPUsYok5lHkZs8N2/acs",
"authorized_groups": [],
"cookie_prefix": "",
"enabled": true,
"entity_id": "https://idp.local-ngrok.com/saml/edghtsrt_2k5okhd5Q8twPUsYok5lHkZs8N2",
"force_authn": false,
"idp_metadata": "\n<EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"2020-09-14T12:53:23.691Z\" cacheDuration=\"PT1M\" entityID=\"http://127.0.0.1:12345/metadata\"><IDPSSODescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat><SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://127.0.0.1:12345/sso\"></SingleSignOnService><SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://127.0.0.1:12345/sso\"></SingleSignOnService></IDPSSODescriptor></EntityDescriptor>\n",
"idp_metadata_url": "",
"inactivity_timeout": 0,
"maximum_duration": 0,
"metadata_url": "https://idp.local-ngrok.com/saml/edghtsrt_2k5okhd5Q8twPUsYok5lHkZs8N2",
"nameid_format": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
"options_passthrough": false,
"request_signing_certificate_pem": "-----BEGIN CERTIFICATE-----\nMIIEBDCCAuygAwIBAgIRAMkp/D6YO3yw5qrLvF1ebskwDQYJKoZIhvcNAQELBQAw\ngaAxTjBMBgNVBAoMRWh0dHBzOi8vaWRwLmxvY2FsLW5ncm9rLmNvbS9zYW1sL2Vk\nZ2h0c3J0XzJrNW9raGQ1UTh0d1BVc1lvazVsSGtaczhOMjFOMEwGA1UEAwxFaHR0\ncHM6Ly9pZHAubG9jYWwtbmdyb2suY29tL3NhbWwvZWRnaHRzcnRfMms1b2toZDVR\nOHR3UFVzWW9rNWxIa1pzOE4yMCAXDTI0MDgwMjA3MTU0MloYDzIwNTkwNzI1MDcx\nNTQyWjCBoDFOMEwGA1UECgxFaHR0cHM6Ly9pZHAubG9jYWwtbmdyb2suY29tL3Nh\nbWwvZWRnaHRzcnRfMms1b2toZDVROHR3UFVzWW9rNWxIa1pzOE4yMU4wTAYDVQQD\nDEVodHRwczovL2lkcC5sb2NhbC1uZ3Jvay5jb20vc2FtbC9lZGdodHNydF8yazVv\na2hkNVE4dHdQVXNZb2s1bEhrWnM4TjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\nggEKAoIBAQDOJD56/T3y3dfyS1iapjljG+84Nhmn2h8FhSCRMtgNLfFo53c3f1RD\n+lKsjZ5xnODOGfURdFNRdn21E4RLuAyKSfszMY8HVhRIJac/f5zH4RUcEU1If44d\ntUUHSZXSUvDB8vuPnBhKRkseG/JmQKIUrho0BnnhlENq9+x/b73TKssdrvkVww8h\nVHokYViZaw3p2vkxIeQj4ggodhMd6Rzz2FAmWXwKGkbTTN/K6CBczczG9ibd6IGT\nUpadhtMvnk34W3wx+x3qrcPargzRNzwypvrZnV6MnNaO7hVR+9bsGDsQ4ZFPA0wN\nX/dsLBJLcosrzTJeC5zkTPnx5py/IA25AgMBAAGjNTAzMA4GA1UdDwEB/wQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEB\nCwUAA4IBAQAsZLu7ZZi0gDWx8PKWhYi8Qt70wId/NPSKsSkE+TCVeITiRRLtAyMb\nZe8VLj8X55U/tzXM/tLZfVZ4sPk92O5rTe61hdSvRl2X2pXXg7FqUy6AmpA65UeA\nRt1OgveFCFgzmriBSgBh7NABBKCDD6UfftyDuyNGJMs9rzJva4pH8tP6P7H74+rw\nRwBMbZ60G9LFW+u6Xx/MqZ/hCnHDCaYTxFfY2hJLE5hfryHNtNdO82noUd+gfgf7\n+DM7L4yQA8avyw1Q2zucrkLIeDrf70AZPRnnmxsdd3uWgmI37aPgRZ8UaSEsf1U7\nK8TrzQy/m1UnxCs7JByRyJm9Zevuk7sC\n-----END CERTIFICATE-----\n",
"single_logout_url": "https://idp.local-ngrok.com/saml/edghtsrt_2k5okhd5Q8twPUsYok5lHkZs8N2/slo"
}

Fields

NameTypeDescription
enabledbooleantrue if the module will be applied to traffic, false to disable. default true if unspecified
options_passthroughbooleanDo not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefixstringthe prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeoutuint32Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_durationuint32Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
idp_metadatastringThe full XML IdP EntityDescriptor. Your IdP may provide this to you as a a file to download or as a URL.
force_authnbooleanIf true, indicates that whenever we redirect a user to the IdP for authentication that the IdP must prompt the user for authentication credentials even if the user already has a valid session with the IdP.
allow_idp_initiatedbooleanIf true, the IdP may initiate a login directly (e.g. the user does not need to visit the endpoint first and then be redirected). The IdP should set the RelayState parameter to the target URL of the resource they want the user to be redirected to after the SAML login assertion has been processed.
authorized_groupsList<string>If present, only users who are a member of one of the listed groups may access the target endpoint.
entity_idstringThe SP Entity's unique ID. This always takes the form of a URL. In ngrok's implementation, this URL is the same as the metadata URL. This will need to be specified to the IdP as configuration.
assertion_consumer_service_urlstringThe public URL of the SP's Assertion Consumer Service. This is where the IdP will redirect to during an authentication flow. This will need to be specified to the IdP as configuration.
single_logout_urlstringThe public URL of the SP's Single Logout Service. This is where the IdP will redirect to during a single logout flow. This will optionally need to be specified to the IdP as configuration.
request_signing_certificate_pemstringPEM-encoded x.509 certificate of the key pair that is used to sign all SAML requests that the ngrok SP makes to the IdP. Many IdPs do not support request signing verification, but we highly recommend specifying this in the IdP's configuration if it is supported.
metadata_urlstringA public URL where the SP's metadata is hosted. If an IdP supports dynamic configuration, this is the URL it can use to retrieve the SP metadata.
nameid_formatstringDefines the name identifier format the SP expects the IdP to use in its assertions to identify subjects. If unspecified, a default value of urn:oasis:names:tc:SAML:2.0:nameid-format:persistent will be used. A subset of the allowed values enumerated by the SAML specification are supported.

Get HTTPS Edge Route SAML Module

Request

GET /edges/https/{edge_id}/routes/{id}/saml

Example Request

curl \
-X GET \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/edges/https/edghts_2k5okgQEQlpu9SjQC6ugIxNODbj/routes/edghtsrt_2k5okhd5Q8twPUsYok5lHkZs8N2/saml

Response

Returns a 200 response on success

Example Response

{
"allow_idp_initiated": true,
"assertion_consumer_service_url": "https://idp.local-ngrok.com/saml/edghtsrt_2k5okhd5Q8twPUsYok5lHkZs8N2/acs",
"authorized_groups": [],
"cookie_prefix": "",
"enabled": true,
"entity_id": "https://idp.local-ngrok.com/saml/edghtsrt_2k5okhd5Q8twPUsYok5lHkZs8N2",
"force_authn": false,
"idp_metadata": "\n<EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"2020-09-14T12:53:23.691Z\" cacheDuration=\"PT1M\" entityID=\"http://127.0.0.1:12345/metadata\"><IDPSSODescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat><SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://127.0.0.1:12345/sso\"></SingleSignOnService><SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://127.0.0.1:12345/sso\"></SingleSignOnService></IDPSSODescriptor></EntityDescriptor>\n",
"idp_metadata_url": "",
"inactivity_timeout": 0,
"maximum_duration": 0,
"metadata_url": "https://idp.local-ngrok.com/saml/edghtsrt_2k5okhd5Q8twPUsYok5lHkZs8N2",
"nameid_format": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
"options_passthrough": false,
"request_signing_certificate_pem": "-----BEGIN CERTIFICATE-----\nMIIEBDCCAuygAwIBAgIRAMkp/D6YO3yw5qrLvF1ebskwDQYJKoZIhvcNAQELBQAw\ngaAxTjBMBgNVBAoMRWh0dHBzOi8vaWRwLmxvY2FsLW5ncm9rLmNvbS9zYW1sL2Vk\nZ2h0c3J0XzJrNW9raGQ1UTh0d1BVc1lvazVsSGtaczhOMjFOMEwGA1UEAwxFaHR0\ncHM6Ly9pZHAubG9jYWwtbmdyb2suY29tL3NhbWwvZWRnaHRzcnRfMms1b2toZDVR\nOHR3UFVzWW9rNWxIa1pzOE4yMCAXDTI0MDgwMjA3MTU0MloYDzIwNTkwNzI1MDcx\nNTQyWjCBoDFOMEwGA1UECgxFaHR0cHM6Ly9pZHAubG9jYWwtbmdyb2suY29tL3Nh\nbWwvZWRnaHRzcnRfMms1b2toZDVROHR3UFVzWW9rNWxIa1pzOE4yMU4wTAYDVQQD\nDEVodHRwczovL2lkcC5sb2NhbC1uZ3Jvay5jb20vc2FtbC9lZGdodHNydF8yazVv\na2hkNVE4dHdQVXNZb2s1bEhrWnM4TjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\nggEKAoIBAQDOJD56/T3y3dfyS1iapjljG+84Nhmn2h8FhSCRMtgNLfFo53c3f1RD\n+lKsjZ5xnODOGfURdFNRdn21E4RLuAyKSfszMY8HVhRIJac/f5zH4RUcEU1If44d\ntUUHSZXSUvDB8vuPnBhKRkseG/JmQKIUrho0BnnhlENq9+x/b73TKssdrvkVww8h\nVHokYViZaw3p2vkxIeQj4ggodhMd6Rzz2FAmWXwKGkbTTN/K6CBczczG9ibd6IGT\nUpadhtMvnk34W3wx+x3qrcPargzRNzwypvrZnV6MnNaO7hVR+9bsGDsQ4ZFPA0wN\nX/dsLBJLcosrzTJeC5zkTPnx5py/IA25AgMBAAGjNTAzMA4GA1UdDwEB/wQEAwIH\ngDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEB\nCwUAA4IBAQAsZLu7ZZi0gDWx8PKWhYi8Qt70wId/NPSKsSkE+TCVeITiRRLtAyMb\nZe8VLj8X55U/tzXM/tLZfVZ4sPk92O5rTe61hdSvRl2X2pXXg7FqUy6AmpA65UeA\nRt1OgveFCFgzmriBSgBh7NABBKCDD6UfftyDuyNGJMs9rzJva4pH8tP6P7H74+rw\nRwBMbZ60G9LFW+u6Xx/MqZ/hCnHDCaYTxFfY2hJLE5hfryHNtNdO82noUd+gfgf7\n+DM7L4yQA8avyw1Q2zucrkLIeDrf70AZPRnnmxsdd3uWgmI37aPgRZ8UaSEsf1U7\nK8TrzQy/m1UnxCs7JByRyJm9Zevuk7sC\n-----END CERTIFICATE-----\n",
"single_logout_url": "https://idp.local-ngrok.com/saml/edghtsrt_2k5okhd5Q8twPUsYok5lHkZs8N2/slo"
}

Fields

NameTypeDescription
enabledbooleantrue if the module will be applied to traffic, false to disable. default true if unspecified
options_passthroughbooleanDo not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefixstringthe prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeoutuint32Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_durationuint32Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
idp_metadatastringThe full XML IdP EntityDescriptor. Your IdP may provide this to you as a a file to download or as a URL.
force_authnbooleanIf true, indicates that whenever we redirect a user to the IdP for authentication that the IdP must prompt the user for authentication credentials even if the user already has a valid session with the IdP.
allow_idp_initiatedbooleanIf true, the IdP may initiate a login directly (e.g. the user does not need to visit the endpoint first and then be redirected). The IdP should set the RelayState parameter to the target URL of the resource they want the user to be redirected to after the SAML login assertion has been processed.
authorized_groupsList<string>If present, only users who are a member of one of the listed groups may access the target endpoint.
entity_idstringThe SP Entity's unique ID. This always takes the form of a URL. In ngrok's implementation, this URL is the same as the metadata URL. This will need to be specified to the IdP as configuration.
assertion_consumer_service_urlstringThe public URL of the SP's Assertion Consumer Service. This is where the IdP will redirect to during an authentication flow. This will need to be specified to the IdP as configuration.
single_logout_urlstringThe public URL of the SP's Single Logout Service. This is where the IdP will redirect to during a single logout flow. This will optionally need to be specified to the IdP as configuration.
request_signing_certificate_pemstringPEM-encoded x.509 certificate of the key pair that is used to sign all SAML requests that the ngrok SP makes to the IdP. Many IdPs do not support request signing verification, but we highly recommend specifying this in the IdP's configuration if it is supported.
metadata_urlstringA public URL where the SP's metadata is hosted. If an IdP supports dynamic configuration, this is the URL it can use to retrieve the SP metadata.
nameid_formatstringDefines the name identifier format the SP expects the IdP to use in its assertions to identify subjects. If unspecified, a default value of urn:oasis:names:tc:SAML:2.0:nameid-format:persistent will be used. A subset of the allowed values enumerated by the SAML specification are supported.

Delete HTTPS Edge Route SAML Module

Request

DELETE /edges/https/{edge_id}/routes/{id}/saml

Example Request

curl \
-X DELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/edges/https/edghts_2k5okgQEQlpu9SjQC6ugIxNODbj/routes/edghtsrt_2k5okhd5Q8twPUsYok5lHkZs8N2/saml

Response

Returns a 204 response with no body on success