Skip to main content

Tutorial: Authenticate Using SAML with Keycloak

Abstract

This tutorial shows the steps to authenticate your Users using SAML. You can configure CloudConexa SAML authentication to use Keycloak as the Identity Provider.

Steps: Retrieve certificate value and IdP endpoint from Keycloak

  1. Navigate to Keycloak and sign in with your Administrator account.

    62eac8433bfd4.png
  2. Access Realm Settings > Endpoints and click SAML 2.0 Identity Provider Metadatal.

    62eac84524bf0.png
  3. Copy the IdP X.509 Public Certificate and the IdP Authentication Endpoint URL, which are used later in the CloudConnexa set up process.

Steps: Configure and enable SAML in CloudConnexa

  1. Sign in to the CloudConnexahttps://cloud.openvpn.com/

  2. Access Settings > User Authentication and click Edit.

    saml_with_keycloak.png
  3. Click on Configure in the Authenticate Users Using > SAML section.

    • The SAML Configuration window opens. Click Next.

      saml_config.png
  4. Add your IdP Name (optional), and then select Manual Configuration.

    saml_config2.png
  5. Paste the previously copied IdP Authentication Endpoint URL and the IdP X.509 Public Certificate.

    62eac84b95b1c.png
  6. Click Next, review the displayed information, then click Finish.

    • You now have the option to use SAML to authenticate Users.

      saml_config3.png

Steps: Create a new Keycloak client

  1. Navigate to Keycloak and sign in as an Administrator.

    62eac84fb963c.png
  2. Access Clients and click Create.

  3. Set the Client ID to be the same as the Issuer Name that was displayed in the SAML configuration on the CloudConnexa portal:

    62eac85118508.png
  4. Select SAML as the Client Protocol.

  5. Enter the SSO URL for the Client SAML Endpoint:

    62eac85263f42.png
  6. Click Save.

    • The settings tab displays the default values.

  7. Enable Sign Assertions.

  8. Disable Client Signature Required and Force POST Binding.

  9. Set the Name ID format to email.

  10. Enter this value in Valid Redirect URIs, which allows redirects to the ACS URL:

    62eac853d34d8.png
    • All other values are left as default.

      62eac8555407c.png

Steps: Create a Keycloak User account

  1. Navigate to Keycloak, access Users, and click Add User.

  2. Fill out the form with your data.

    Note

    You can select Email Verified if you use a test email that doesn’t allow verification.

    62eac85890d93.png
  3. Open the Credentials tab and assign a password for the User account, and click Set Password.

    62eac85a1bb6f.png

Steps: Configure attributes and group mapping in Keycloak

  1. Navigate to Keycloak, access Clients, and click on your Client ID.

  2. Click on the Mappers tab, which allows you to create SAML attributes.

    Note

    At the time of publication, CloudConnexa only supports First Name, Last Name, Email, and Groups for mapping attributes.

  3. Click Create, and in Mapper Type select User Property.

  4. Add a separate attribute entry for each of First Name, Last Name, and Email.

    Note

    You must use these defined Property name values in the Property field.

    Attribute

    Property

    Purpose

    Email

    email

    To pass the email value to the service provider.

    First Name

    firstName

    To pass the first name value to the service provider.

    Last Name

    lastName

    To pass the last name value to the service provider.

  5. Set the SAML Attribute Name value to be the same as each corresponding Property name value.

  6. Click Create, and in Mapper Type select Group List to create a Group Mapper.

Note

You must use groups as the defined Group attribute name.

Attribute

Group attribute name

Purpose

Group

groups

To pass the groups value to the service provider.

62eac86100e09.png
62eac8629f97b.png
62eac8644d36a.png

Steps: Configure attribute mapping in CloudConnexa

To finalize your attribute mapping set up, you must ensure that the Property values and SAML Attribute values match the Attribute Mapping values in your SAML Configuration on CloudConnexa.

  1. Access CloudConnexa > Settings > User Authentication > SAML > View Attirbute Mapping to check that those values match :

62eac866528ae.png

Steps: Set up group mapping in CloudConnexa

  1. Access CloudConnexa Settings > User Authentication > SAML > View Group Mapping and click Add Rule.

  2. Enter the name of the group(s) from your identity provider under SAML IdP User Group(s) and then select a group from the CloudConnexa User Groups that you want to map to your IdP group(s).

62eac868e98bc.png

Steps: Sign in to User Portal with Keycloak

  1. Navigate to the CloudConnexa account page at: https://myaccount.openvpn.com/product-select

  2. Click Not an Owner? Sign In Here.

    • CloudConnexa recognizes that your domain uses SAML and displays the Single Sign On prompt.

      62eac85bef1d1.png
  1. Click Sign In.

    • The Keycloak Log In page opens.

  2. Enter the Keycloak test account email and password and click Log In.

    • The CloudConnexa Get Connected page opens with app download and installation instructions.

      62eac85d5587d.png
      62eac85f0aed1.png