Skip to main content

Tutorial: How to Configure SAML with Keycloak

Abstract

This is a step-by-step guide for configuring SAML on Access Server with Keycloak.

Overview

Access Server supports authentication using SAML with Keycloak as the identity provider. You can configure this in Keycloak with Access Server as your service provider.

The following steps walk you through enabling SAML authentication for users and groups from Keycloak to Access Server.

Prerequisites

You need the following to get started:

Important

We recommend using all lowercase usernames when signing in with SAML.

Step 1: Create the Keycloak Client

With Keycloak, you must create a client application to serve as your SAML resource server.

Now that you have your SP information, you can create a new Keycloak client and enter that information during client creation:

  1. Sign in to your Keycloak administration console.

  2. Click Clients > Create.

  3. Enter your SP information as follows:

    1. Client ID: Enter the SP Identity from Access Server.

    2. Client Protocol: Choose saml.

    3. Client SAML Endpoint: Enter the SP ACS from Access Server.

  4. Click Save.

  5. After saving, make the following changes in the Settings:

    1. Set Client Signature Required to OFF.

    2. Select the Name ID Format that matches your Access Server usernames.

    3. Enter your Access Server address, with an * appended, as the Valid Redirect URIs, and click the + sign. (For example, enter https://164.234.23.23/*.)

  6. Click Save.

  7. Click the Client Scopes tab.

  8. Click role_list under Assigned Default Client Scopes and click Remove selected.

    • You’ve added the SAML client for your Keycloak server.

Step 2: Copy or download the Keycloak metadata

The simplest way to set up Keycloak SAML for Access Server is to provide metadata. You can copy a metadata URL or download an XML file.

Option 1: Copy the Keycloak metadata URL

  1. Sign in to your Keycloak administration console.

  2. Under Real Settings and General, click SAML 2.0 Identity Provider Metadata under Endpoints.

  3. Copy the URL for the newly opened tab.

Option 2: Download the Keycloak metadata XML

  1. Sign in to your Keycloak administration console.

  2. Click Clients and select your SAML client.

  3. Click Installation.

  4. Select Mod Auth Mellon files from the Format Option dropdown.

  5. Click Download.

Step 3: Provide metadata to Access Server

Now that you have the metadata, you can provide that to your Access Server through the Admin Web UI to automatically configure SAML.

If you copied the URL, follow the steps below to paste it into the SAML page for Access Server. If you downloaded the XML file, follow the steps below to upload it to the SAML page for Access Server.

Option 1: Paste the Keycloak metadata URL in the Admin Web UI

  1. Sign in to the Admin Web UI.

  2. Click Authentication.

  3. Click the SAML tab.

  4. Set Enable SAML authentication to Enabled.

  5. Under Configure Identity Provider (IdP), click Configure using metadata URL/file.

    • The Configure using metadata modal displays.

  6. In the field, IdP metadata configuration URL, paste the metadata URL you copied from Keycloak, and click Get.

    • If the URL isn't valid, a message displays. Otherwise, the Identity Provider data populates the corresponding fields.

  7. Click Save and Restart.

Option 2: Upload the Keycloak metadata XML in the Admin Web UI

  1. Sign in to the Admin Web UI.

  2. Click Authentication.

  3. Click the SAML tab.

  4. Set Enable SAML authentication to Enabled.

  5. Under Configure Identity Provider (IdP), click Configure using metadata URL/file.

    • The Configure using metadata modal displays.

  6. Click Click to upload to select your XML file or drag and drop it into the modal window.

    • The Identity Provider data populates the corresponding fields.

  7. Click Save and Restart.

Step 4: Assign SAML as user authentication

You can now enable SAML as the global default authentication or for specific groups and users.Tutorial: SAML user groups

Optional: How to set up IdP-initiated flow

You can configure an IdP-initiated flow for signing into Access Server from Keycloak with the following steps:

  1. Sign in to your Keycloak administration console.

  2. Click Clients and select your SAML client.

  3. For the IDP Initiated SSO URL Name enter the Access Server SP Identity.

  4. Enter one of the following into IDP initiated SSO Relay State:

    1. cws: This directs your users to the Client Web UI after sign-in.

    2. profile: This directs your users to a profile download after sign-in.

  5. Click Save.

  6. Copy the Target IDP Initiated SSO URL (this displays below the IDP Initiated SSO URL Name after you populate the field) and provide it to users for signing in.

Optional: Map SAML group access control

You can automate group assignments for access control rules using a post-authentication Python script.

Refer to the steps in this tutorial:

In this section: