Tutorial: How to Configure SAML with Keycloak
This is a step-by-step guide for configuring SAML on Access Server with Keycloak.
Overview
Access Server 2.11 and newer supports authentication using SAML with Keycloak as the identity provider. You can configure this in Keycloak with Access Server as your service provider.
The following steps walk you through enabling SAML authentication for users and groups from Keycloak to Access Server.
You need the following to get started:
A deployed Keycloak server.
Note
At the time of writing this tutorial, the KeyCloak version used and tested was 26.5.x.
A deployed Access Server.
Important
We recommend using all lowercase usernames when signing in with SAML.
Note
In our documentation, we use example IPv4 addresses and subnets reserved for documentation, such as 192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24.
Ensure you replace them with valid IPv4 addresses and subnets for your network(s).
With Keycloak, you need to create a client application to serve as your SAML resource server.
Now that you have your SP information, you can create a new Keycloak client and enter that information during client creation:
Sign in to your Keycloak administration console.
Click Clients > Create client.
Start the configuration of your Client:
Client type: Select SAML.
Client ID: Enter the SP Identity from Access Server.
Name: Enter a client name (for example, "openvpnas-saml"). We recommend all lowercase for the client name.
Click Next, and make the following changes:
Valid redirect URIs: Enter your Access Server address, with an * appended (for example,
https://203.0.113.5/*).Master SAML Processing URL: Enter the SP ACS from Access Server.
Leave the remaining fields empty (default).
Click Save.
Navigate to Settings > SAML capabilities > Name ID format.
Select a format that matches your Access Server usernames (for example,
usernameoremail).Click Save.
Navigate to Keys > Signing keys config.
Set Client signature required to Off.
Navigate to the Client Scopes tab.
Select role_list, click the 3 dots, click Remove, and click Delete.
You’ve added the SAML client for your Keycloak server.
The simplest way to set up Keycloak SAML for Access Server is to provide metadata. You can copy a metadata URL or download an XML file.
Option 1: Copy the Keycloak metadata URL
Sign in to your Keycloak administration console.
Under Realm Settings > General > Endpoints: Click SAML 2.0 Identity Provider Metadata. (This opens a new tab.)
Copy the URL for the newly opened tab.
Option 2: Download the Keycloak metadata XML
Sign in to your Keycloak administration console.
Click Clients and select your SAML client.
Click Action > Download adapter config.
Select mod-auth-mellon from the Format Option dropdown.
The zip file
keycloak-mod-auth-mellon-sp-config.zipdownloads.
Extract the ZIP file and you'll see a directory called
https___203.0.113.5_saml_metadata(where203.0.113.5is your Access Server address).Inside that directory are two files:
idp-metadata.xml
sp-metadata.xml
Use the
idp-metadata.xmlif you're uploading Keycloak metadata XML in the Admin Web UI.
Now that you have the metadata, you can provide that to your Access Server through the Admin Web UI to automatically configure SAML.
If you copied the URL, follow the steps below to paste it into the SAML page for Access Server. If you downloaded the XML file, follow the steps below to upload it to the SAML page for Access Server.
Option 1: Paste the Keycloak metadata URL in the Admin Web UI
Sign in to your Access Server Admin Web UI.
Click Authentication > SAML.
Click Configure Identity Provider (IdP) Automatically via Metadata to expand the section.
Paste the metadata URL from Keycloak into the IdP Metadata URL field, click Get, and click Update Running Server.
The IdP fields are now populated under Configure Identity Provider (IdP) Manually.
Option 2: Upload the Keycloak metadata XML in the Admin Web UI
Sign in to your Access Server Admin Web UI.
Click Authentication > SAML.
Click Configure Identity Provider (IdP) Automatically via Metadata to expand the section.
In the field Select IdP Metadata, click Choose File to upload the XML file you downloaded from Keycloak, then click Upload and Update Running Server.
The IdP fields are now populated under Configure Identity Provider (IdP) Manually.
The IdP fields are now populated under Configure Identity Provider (IdP) Manually.
IdP EntityId.
Sign On Endpoint.
Certificate (PEM format).
You can configure an IdP-initiated flow for signing into Access Server from Keycloak with the following steps:
Sign in to your Keycloak administration console.
Click Clients, then select your SAML client.
In the IDP-Initiated SSO URL name field, enter a name. This will be part of the URL used for the IdP-initiated flow. We recommend using an all lowercase name here. In this example, we use the client name, openvpnas-saml.
This value becomes part of the IdP-initiated SSO URL.
We recommend using a lowercase name.
Example:
openvpnas-saml
In IDP-initiated SSO Relay State, enter one of the following:
cws: This directs your users to the Client Web UI after sign-in.
profile: This directs your users to download a connection profile.
Click Save.
After saving, Keycloak generates the IdP-initiated SSO URL.
The URL follows this format:
https://<keycloak-server-domain>/realms/<realm>/protocol/saml/clients/<idp-initiated-sso-url-name>
Where:
<keycloak-server-domain>— the IP address or domain of your Keycloak server.<realm>— the Keycloak realm name.<idp-initiated-sso-url-name>— the value set in IDP-initiated SSO URL Name.
Example:
https://keycloak-example.com/realms/master/protocol/saml/clients/openvpnas-saml
Provide this URL to users so they can sign in using the IdP-initiated flow.
Instead of sharing the URL manually, you can configure Keycloak so users can launch the application directly from the Keycloak UI.
Sign in to your Keycloak administration console.
Click Clients, then select your SAML client.
In the Home URL field, paste the IDP-Initiated SSO URL.
Click Save.
Users will now see the application in the Keycloak user portal and can click it to sign in using the IdP-initiated flow.