Restrict Application Creation
How to restrict application creation in Spinnaker with Fiat Permissions
If you’ve set up SAML 2.0 authentication for your Spinnaker cluster and are able to login when your Identity Provider (iDP, ADFS/okta/etc.), but aren’t able to login when the Service Provider (SP, Spinnaker) initiates the login, try the following:
keytool -export -keystore saml.jks -alias saml -file spinnaker-saml.cer
Then import/configure the exported
spinnaker-saml.cer in your iDP for the SAML application you created.
Essentially, Gate is signing the requests with the Java Keystore and the iDP doesn’t know how to understand the signed requests until it is aware of the signing certificate.
This is somewhat documented here.