Keycloak | SAML

Owned by Mari Fuglem
Last updated: Sept 06, 2024 by Skule Johansen
4 min read

1. Display name

Choose a name for your identity provider. This is the user-facing name, so choose a name your users will recognize. This value can be changed later.

 

2. Select Redirect mode

Select how the user will be redirected to the identity provider. You may configure more redirect modes after completing the setup.

3. Prepare IDP

In this step, we will configure Keycloak to work with Kantega SSO. For this, you will need to copy the Reply URL provided. We will use this when setting up Keycloak.

 

Configure Keycloak

external

If you are using SCIM with your provider, make sure to check out the documentation for configuring this before proceeding. It might be that you need to configure this first or at the same time as setting up SAML.

Sign in to the Keycloak admin console.

Select the correct realm (we are using master) and then click Create client.

Select SAML as Client type and use the Reply URL from the Prepare IDP step in the Kantega SSO wizard. (This URL is also known as the ACS URL, Assertion Consumer Service URL, Destination)

Click Next-button.

Give a Valid redirect ÚRI and click Save.

Paste the Reply URL into the following fields:

  • Valid Redirect URIs.

  • Master SAML Processing URL.

 

In the Key tab set the Client signature requires to Off

 

Mappers (Just-in-time provisioning)

If you intend to use JIT provisioning to create user accounts the first time they log in, you will need to configure Mappers. Mappers make Keycloak include the requisite SAML Response attributes (email and name). If users already exist in JIRA (using LDAP or some other means of provisioning), you can skip this step.

Open the Client scopes tab we and the upper link with your <client id>-dedicated.

Click on the “Add predefined mapper” button. Select the email, givenName and surname and click Add button.

 

 

You can also do this manually (if the predefined is not present) by using Add mapper by “By configuration” and select user properties in the list:

 

lastname:

 

givenname:

email:

 

The result should show these mappers (X500 in front if you did this by predefined mappers=:

 

Mappers (Managed Groups or Auto create groups)

If you intend to use Managed groups (manage your users' group meberships in Keycloak) or Auto create groups, you also need a mapper for group claims. If not, you can skip this step. Use the Client Scopes tab and click on the dedicated scopes link. Add a new Group list:

Create mapper for Group claims from identity provider (legacy, pre-5.3):

 

 

Go back to the Kantega SSO setup wizard, step 3 Metadata.

4. Metadata

Provide the metadata URL (recommended):

https://<keycloak server>/realms/<realm>/protocol/saml/descriptor

  • Substitute <keycloak server> with the DNS of your Keycloak server.

  • Substitute the realm identifier <realm> with your realm.

For Keycloak looser than version 18.0.0 there must be included /auth in the path (this is default, so remove it if you have a newer Keycloak).

https://<keycloak server>/auth/realms/<realm>/protocol/saml/descriptor

Alternatively, you can download the metadata file to disk and upload it in the KSSO wizard.

5. Redirect URL

The Redirect URL is imported automatically from the metadata.

6. Certificate

This step shows the certificate used to validate the SAML messages.

7. Summary

Check that everything looks good and submit your setup

 

Test

Test that logging in with Keycloak works as expected. This will help identify if there are any issues with the configuration. Follow the steps to perform the login test.