CodersSecret

Module 5 of 8

SSO with OIDC or SAML Through Envoy and External Auth

Use Envoy as the enforcement point while an IdP and auth service handle login protocol details.

105 minutes1 exercisesFree
Watch as Slides Course overviewInline lab below

Start here

Learning objectives

  • Explain why Envoy is not the full identity provider
  • Design an SSO flow for browser products behind Envoy
  • Use ext_authz to delegate login/session decisions to a central auth service
  • Compare OIDC and SAML at the architecture level without getting lost in protocol details
SSO with OIDC or SAML Through Envoy and External Auth A central Envoy edge checks identity before traffic reaches product services. Browser browser or service Envoy enforcement point Auth Service IdP or policy service when needed UI Kubernetes app Authenticate once, validate every request, authorize before forwarding.

The Honest Architecture

Plain Envoy is the central enforcement point. It is not usually the component that completes the full browser login protocol by itself. For OIDC or SAML, a browser is redirected to an identity provider or an auth service that knows how to speak the protocol. Envoy protects product routes and delegates the decision through ext_authz.

Browser Flow

  1. User opens a product such as the data explorer.
  2. Envoy sees no valid session or token.
  3. Envoy calls the central auth service with request context.
  4. The auth service starts OIDC or SAML login with the IdP.
  5. After login, the user returns with a valid session or token.
  6. Envoy allows the request and forwards trusted identity context to the product.

Envoy ext_authz Example

This example sends authorization decisions to a central service. That service can understand sessions, OIDC, SAML, groups, tenants, and product policy. Keep timeouts short because this service is on the request path.

http_filters:
- name: envoy.filters.http.ext_authz
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
    transport_api_version: V3
    grpc_service:
      envoy_grpc:
        cluster_name: central_authz_service
      timeout: 250ms
    include_peer_certificate: true
    failure_mode_allow: false
- name: envoy.filters.http.router
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

clusters:
- name: central_authz_service
  type: STRICT_DNS
  connect_timeout: 500ms
  http2_protocol_options: {}
  load_assignment:
    cluster_name: central_authz_service
    endpoints:
    - lb_endpoints:
      - endpoint:
          address:
            socket_address:
              address: authz.platform.svc.cluster.local
              port_value: 9000

OIDC vs SAML

ProtocolBest mental modelCommon usage
OIDCModern login protocol with ID tokens and discovery metadata.Internal apps, SaaS, mobile, API platforms.
SAMLEnterprise SSO protocol using signed assertions.Older corporate SSO integrations and enterprise SaaS.

What the Auth Service Decides

The auth service can say: allow, deny, redirect to login, or enrich the request with identity headers. It can also normalize groups from OIDC or SAML into platform roles such as viewer, operator, admin, or data-steward.

Real world

Where this shows up

  • A Kubernetes platform with many internal products that should share one login and one enforcement layer
  • Developer portals, data tools, admin consoles, APIs, and service-to-service calls protected at the edge
  • Migration from product-specific auth logic to centralized policy checks without rewriting every product first

Production notes

Keep these close

  • Keep auth-service timeouts short and monitor p95/p99 decision latency
  • Use secure, HttpOnly, SameSite cookies for browser sessions when cookies are used
  • Make login redirects explicit and avoid redirect loops

Common mistakes

What usually breaks

  • Claiming Envoy alone replaces the identity provider
  • Failing open when the auth service is unavailable
  • Mixing browser session cookies and API bearer tokens without clear route rules

Security risks

Threats to watch

  • Open redirect bugs can leak login flows
  • Weak cookie settings can expose sessions
  • Group-to-role mapping mistakes can grant broad product access

Tradeoffs

Design choices you should be able to defend

OIDC login through auth service

Pros

  • Modern ecosystem
  • Good fit for APIs and UI apps
  • Works well with JWT validation

Cons

  • Requires careful redirect and callback handling
  • Misconfigured audiences and clients are common

SAML login through auth service

Pros

  • Works with many enterprise IdPs
  • Familiar for older corporate SSO

Cons

  • XML assertions and metadata can be harder to debug
  • Less natural for API-first systems

Think like an engineer

Questions to answer before shipping

  • Which identity is making the request: a human, a service, or a federated cloud principal?
  • Which check belongs at Envoy, and which check must remain inside the product domain model?
  • What happens when the identity provider, JWKS endpoint, or auth service is slow or unavailable?

Key terms

Vocabulary used in this module

ext_authz

Envoy external authorization filter; it asks another service whether a request should be allowed.

IdP

Identity provider, such as a corporate login system.

Session

A server-recognized login state, often represented by a secure browser cookie.

Redirect loop

A broken login flow where the browser keeps bouncing between app and login service.

Exercises

Practice inside the lesson

45-60 minutesBeginner to Intermediate

Design the SSO Flow

Describe an SSO flow for three browser products behind plain Envoy.

  1. Choose three products that need browser login
  2. Write what happens when the user has no session
  3. Write what happens after successful OIDC or SAML login
  4. Choose which identity headers products receive
  5. Write the timeout and failure behavior for the auth service call

Recap

Key takeaways

  • Envoy enforces access; an IdP and auth service usually own OIDC or SAML protocol work
  • ext_authz lets Envoy delegate decisions to a central service
  • Browser SSO needs careful redirect, session, cookie, and CSRF design

Related resources

Keep learning across CodersSecret

Related guides

Read practical engineering walkthroughs that connect this lesson to real systems.

Cheatsheets

Keep command references and production checklists close while you practice.

Interactive labs

Practice infrastructure decisions through short, scenario-driven exercises.

Glossary terms

Build the vocabulary needed to explain architecture clearly in reviews.