SAML Authentication for KeyClock
- John Sinclair
- Arihant Bansal
- Shantaveer Hosamath
SAML (Security Assertion Markup Language) authentication is a standard protocol used for Single Sign-On (SSO). SAML allows users to authenticate with a service (Service Provider or SP) using credentials from a central Identity Provider (IdP). This process enhances security and provides a seamless login experience across multiple platforms.
FirstWave products are the Service Provider (SP), for details about your Identity Provider, contact your IdP administrator.
See OMK Authentication Methods
When SAML Authentication is configured, the login page will have a SAML button:
To setup SAML Authentication in FirstWave products
Go to Administration dashboard, Modules => Administration => Settings => Authentication.
Change one of the Authentication Methods (Auth Method 1 or Auth Method 2 or Auth Method 3) to SAML using the dropdown, then click on the Configure saml link as highlighted below.
Note that when you are configuring SAML as on Authentication method, you should retain a backup method of Authentication such as htpasswd until you have tested your SAML configuration successfully.
In the Configure saml dialog, add in the parameters for your SAML configuration.
SAML parameters
| Key | Description | Example | Comment |
|---|---|---|---|
| Single Sign-On (SSO) URL | IDP SSO URL | https://cloak.opmantek.net/realms/my_realm/protocol/saml/clients/omk-2 | The SSO URL is used by the SP to initiate the authentication process. It typically points to the IdP's SAML endpoint where the SP sends an authentication request (AuthnRequest) XML document. |
| Metadata URL | IDP Metadata URL | https://cloak.opmantek.net/realms/my_realm/protocol/saml/descriptor | The Metadata URL provides essential information about the IdP to the SP, including endpoints, certificates, and other settings required for SAML authentication. |
| Username Attribute | IDP Username attribute which corresponds to NMIS User | Username | (optional) SAML IDP attribute to be mapped to NMIS Username. SAML response from the IdP needs to have a saml:Attribute which contains the NMIS Username, If the NMIS Username is present in the saml:NameID tag then this Username Attribute parameter can be left empty |
| Login Label | SAML Button label in the FirstWave Login page | Keycloak SAML | (optional) You can choose how you label the SAML login button on the FirstWave login screen. Eg "Login with Keycloak SAML". The default is "SAML". |
| Auth SameSite Cookie | Cookie samesite configuration | Lax | The SameSite attribute for cookies is used to control whether cookies are sent along with cross-site requests. This has to be set to Lax for SAML. |
Press Update and Save the configuration.
Restart OMK Daemon
For configuration changes to take effect, open a console and run sudo /usr/local/omk/bin/checkomkdaemons.sh restart as a user with elevated privileges.
SAML Metadata
For information on Assertion Consumer Service URL, (ACS URL)
Go to Help=> SAML Metadata
The SAML Metadata page, shows the values for the parameters that need to be configured on the Identity Provider to access the FirstWave Service Provider.
See Also
https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf