Setting up KeyCloak as SAML IDP
- Shantaveer Hosamath
- Mitchell Saunders
Introduction
By setting up Keycloak as a SAML Identity Provider (IDP), organizations can enable secure Single Sign-On (SSO) across multiple applications, allowing users to authenticate with Keycloak and gain access to various Service Providers (SPs) using the SAML 2.0 protocol. This document outlines the steps to configure Keycloak as a SAML IDP, including the initial setup, SAML-specific configuration, and integration with service providers, with the goal of establishing a reliable and secure authentication process that meets organizational security requirements.
Keycloak Setup
Client Creation
Sign in to your Keycloak account and click on Create Client
Enter Client ID and Name, for example FirstwaveSAML as shown below
Navigate to Access settings. You will then need to provide Root URL and redirect URL (your FirstWave NMIS Suite application URL)
Click on Advanced tab, Enter ACS URL under Assertion Consumer Service POST Binding URL and then click Save.
Adding New Users
Click Users then Add User, provide details and create a user as shown below.
Navigate to the Attributes tab and then add an attribute with the following details:
Key: Username (with a capital U)
Value: the same Username as the username you created for the user
NOTE: In newer versions of KeyCloak the attributes tab is located in Realm Settings > User profile. You will need to create this first then update the value in the User details.
Important notes for configuring SAML with FirstWave NMIS Suite
When following the documentation for configuring SAML for FirstWave products, the Metadata URL can be found by going to Realm settings and then clicking on SAML 2.0 Identity Provider Metadata.
This will open a new tab with XML data shown. The URL that is displayed in your browser URL bar is what is to be used as the Metadata URL.