# SSO with pcdctl

Before you can use `pcdctl` with a single sign-on (SSO) user, you must first authenticate with <code class="expression">space.vars.product\_name</code> Identity Service using the user credentials and generate a valid token. This is done by running the `saml2pf9` utility, which handles the SSO authentication process and issues the token that `pcdctl` requires to execute commands on behalf of the authenticated user.

{% hint style="info" %}
**Note**

Currently, `saml2pf9` is only supported with Microsoft Entra ID as an SSO Identity Provider (IDP).
{% endhint %}

## Step 1: Download the saml2pf9 binary

{% tabs %}
{% tab title="Bash" %}

```bash
sudo curl -shttps://pcdctl.s3.us-west-2.amazonaws.com/saml2pf9 -o /usr/bin/saml2pf9

# To ensure that the downloaded file is executable, run the following command:
sudo chmod +x /usr/bin/saml2pf9
```

{% endtab %}
{% endtabs %}

## Step 2: Configure SAML authentication for Entra ID

To configure authentication using CLI, execute the command `saml2pf9 configure` as shown below and follow the prompts to enter the required details. You can obtain the App ID directly from the Microsoft Entra ID Console.

{% tabs %}
{% tab title="Bash" %}

```bash
root@host1:$ saml2pf9 configure

? Please choose a provider: AzureAD

? Please choose an MFA Auto

? PF9 URL https://<DU_FQDN>

? PF9 Tenant Id <Tenant ID>

? Username xyz@abc.onmicrosoft.com

? IDP IDP1

? App ID <App ID>
```

{% endtab %}
{% endtabs %}

## Step 3: Generate a token

Now execute the `saml2pf9 login` command to log in to the identity service and generate a valid token.

{% tabs %}
{% tab title="Bash" %}

```bash
root@host1:$ saml2pf9 login

Using IdP Account default to access AzureAD https://login.microsoftonline.com/04f9ccd0-810f-4516-8bd1-fb51b592b00d/saml2?SAMLRequest=pVJNj9sgFPwrFnfMh%2B0kRnGkdHNopG0bbdIe9rLCGDaoGLw83Db%2FvnayVbeXvfSEBPNm5s2wBtm7QWzHdPYP%2BmXUkLJfvfMgrg8NGqMXQYIF4WWvQSQljttP94LnVAwxpKCCQ9kWQMdkg78LHsZex6OOP6zSXx%2FuG3ROaQBBSJrIcTfi%2BWx1h4N3F1zUBS%2F4IpfDkL9IPKguH5xMJsS%2BzlXoCUAg%2B92BkePZtm1wOp3z%2BW52wcnhy%2FGEst3EaL2cDfyVc%2BHZ%2Bry3KgYIJk1q1usrJS1NrVRH8YpRg8uKLfCq7Rg2bcXaquYtpR2Z9%2Bco2%2B8a9GQMK5elYQu65FouZVEaQ1XJV11VqEKXEwxg1HsPSfrUIE55hekSF%2BzEqCi4KOpHlB1e4%2FpgfWf98%2FvZtjcQiI%2Bn0wHf1vymI1xXnABos54diqtwfNPZ%2B7TyT1Fo83%2B1fNcXmDLVa%2FLGxs3TID5PulNnwVl1ybbOhZ93UcukG8QQ2dxG%2Fv10m98%3D&RelayState=ss%3Amc%3Aa3dfb7b78b22539d4fb081ad27682455419a3d5ee95743d93ae55eafe1e42d06 To use saved password just hit enter.

? Username testuser@operationsplatform9.onmicrosoft.com

? Password ********

Authenticating as testuser@operationsplatform9.onmicrosoft.com ... 
INFO[0004] [Tenant { Name: service, UUID: 21aded64308c4fbcb43e4fdce4cbc846 } Tenant { Name: tenant2, UUID: 30df56a1356d4868abad66d2b1b8992b }] command=pf9-login Your new access key pair has been stored in the PF9 configuration. Note that it will expire at 2025-08-01 10:32:43 +0000 UTC
```

{% endtab %}
{% endtabs %}

After this step, the issued token is stored in a file located at `$HOME/.pf9/credentials`.

## Step 4: Export environment variables

Export the generated token along with other mandatory environment variables by running the following:

This is required before you can run `pcdctl` commands

{% tabs %}
{% tab title="Bash" %}

```bash
export OS_AUTH_URL=https://pcd-demo.app.pcd.platform9.com/keystone/v3
export OS_AUTH_TYPE=token
export OS_TOKEN=`cat ~/.pf9/credentials | jq -r '.profiles[0].credentials.bearer_token'`
export OS_IDENTITY_API_VERSION=3
export OS_REGION_NAME=region-1
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_PROJECT_NAME=service
export OS_INTERFACE=public
```

{% endtab %}
{% endtabs %}

Now you should be able to run all `pcdctl` CLI commands while the token is valid.

## Use saml2pf9 with automation

To automate the configuration and authentication

1. Create a file named `saml2pf9` in the `$HOME/.pf9/` directory.
2. Ensure that the file adheres to the required format outlined below.

When `saml2pf9` is used, the system will authenticate using the settings defined in the configuration file.

{% tabs %}
{% tab title="Bash" %}

```bash
root@host1:~$ cat ~/.pf9/saml2pf9

[default]

name = default

app_id = 64c14e40-1af3-4287-9817-096aeec31b52

url = https://pcd-demo.app.pcd.platform9.com

tenant_id = 21aded64308c4fbcb43e4fdce4cbc846

username = testuser@operationsplatform9.onmicrosoft.com

provider = AzureAD

domain_IDP = IDP1

mfa = Auto

skip_verify = false

timeout = 0

resource_id =

subdomain =

http_attempts_count =

http_retry_delay =

credentials_file =

saml_cache = false

saml_cache_file =

target_url =

disable_remember_device = false

disable_sessions = false

prompter =
```

{% endtab %}
{% endtabs %}

To generate tokens in non-interactive scripts, provide the password as a command-line argument along with the `--skip-prompt` flag, as shown below:

{% tabs %}
{% tab title="Bash" %}

```bash
saml2pf9 login --password='<your password>' --skip-prompt
```

{% endtab %}
{% endtabs %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.platform9.com/private-cloud-director/2026.1/identity-and-multi-tenancy/enterprise-sso/saml2pf9.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.