Tutorial: How to Configure SAML with Keycloak
This is a step-by-step guide for configuring SAML on Access Server with Keycloak.
Overview
Access Server 2.11 and newer supports authentication using SAML with Keycloak as the identity provider. You can configure this in Keycloak with Access Server as your service provider.
The following steps walk you through enabling SAML authentication for users and groups from Keycloak to Access Server.
You need the following to get started:
A deployed Keycloak server.
A deployed Access Server.
Important
We recommend using all lowercase usernames when signing in with SAML.
With Keycloak, you must create a client application to serve as your SAML resource server.
Now that you have your SP information, you can create a new Keycloak client and enter that information during client creation:
Sign in to your Keycloak administration console.
Click Clients > Create.
Enter your SP information as follows:
Client ID: Enter the SP Identity from Access Server.
Client Protocol: Choose saml.
Client SAML Endpoint: Enter the SP ACS from Access Server.
Click Save.
After saving, make the following changes in the Settings:
Set Client Signature Required to OFF.
Select the Name ID Format that matches your Access Server usernames.
Enter your Access Server address, with an * appended, as the Valid Redirect URIs, and click the + sign. (For example, enter https://164.234.23.23/*.)
Click Save.
Click the Client Scopes tab.
Click role_list under Assigned Default Client Scopes and click Remove selected.
You’ve added the SAML client for your Keycloak server.
The simplest way to set up Keycloak SAML for Access Server is to provide metadata. You can copy a metadata URL or download an XML file.
Option 1: Copy the Keycloak metadata URL
Sign in to your Keycloak administration console.
Under Real Settings and General, click SAML 2.0 Identity Provider Metadata under Endpoints.
Copy the URL for the newly opened tab.
Option 2: Download the Keycloak metadata XML
Sign in to your Keycloak administration console.
Click Clients and select your SAML client.
Click Installation.
Select Mod Auth Mellon files from the Format Option dropdown.
Click Download.
Now that you have the metadata, you can provide that to your Access Server through the Admin Web UI to automatically configure SAML.
If you copied the URL, follow the steps below to paste it into the SAML page for Access Server. If you downloaded the XML file, follow the steps below to upload it to the SAML page for Access Server.
Option 1: Paste the Keycloak metadata URL in the Admin Web UI
Sign in to your Access Server Admin Web UI.
Click Authentication > SAML.
Click Configure Identity Provider (IdP) Automatically via Metadata to expand the section.
Paste the metadata URL from Keycloak into the IdP Metadata URL field, click Get, and click Update Running Server.
The IdP fields are now populated under Configure Identity Provider (IdP) Manually.
Option 2: Upload the Keycloak metadata XML in the Admin Web UI
Sign in to your Access Server Admin Web UI.
Click Authentication > SAML.
Click Configure Identity Provider (IdP) Automatically via Metadata to expand the section.
In the field Select IdP Metadata, click Choose File to upload the XML file you downloaded from Keycloak, then click Upload and Update Running Server.
The IdP fields are now populated under Configure Identity Provider (IdP) Manually.
The IdP fields are now populated under Configure Identity Provider (IdP) Manually.
IdP EntityId.
Sign On Endpoint.
Certificate (PEM format).
You can configure an IdP-initiated flow for signing into Access Server from Keycloak with the following steps:
Sign in to your Keycloak administration console.
Click Clients and select your SAML client.
For the IDP Initiated SSO URL Name enter the Access Server SP Identity.
Enter one of the following into IDP initiated SSO Relay State:
cws: This directs your users to the Client Web UI after sign-in.
profile: This directs your users to a profile download after sign-in.
Click Save.
Copy the Target IDP Initiated SSO URL (this displays below the IDP Initiated SSO URL Name after you populate the field) and provide it to users for signing in.