Skip to content

Keycloak SAML v2.0 identity brokering configuration and testing using jans‐Tarp

Jump to bottom
Michael Schwartz edited this page Oct 17, 2023 · 8 revisions

Keycloak SAML v2.0 identity brokering

Guide to setup Keycloak SAML v2.0 identity broker logins to Gluu Server.

You can also refer to Keycloak Server Administration Guide's SAML v2.0 Identity Providers.

Software Requirement

  • Keycloak Server:
  • SAML IDP: Gluu 4 Shibboleth IDP in our example.
  • Jans-Tarp Extension

Step 1: Save Gluu SAML IDP metadata file

  1. Navigate browser to https://<gluu.server>/idp/shibboleth
  2. Export and save Gluu SAML IDP metadata file. This will be required in Step#4 to setup Keycloak SAML Identity Provider. image

Step 2: Keycloak Server installation and setup

  1. Download and extract Keycloak server from Keycloak Site
  2. Start Keycloak server. Refer Keycloak Getting started(https://www.keycloak.org/getting-started/getting-started-zip)
  3. Create an admin user.

Step 3: Create new Realm

  1. Login as admin
  2. Create new Realm. Refer Create a realm section(https://www.keycloak.org/getting-started/getting-started-zip)

Step 4: Create Keycloak SAML Identity Provider

  1. Login as admin.

  2. Select the newly created Realm.

  3. Click Identity providers from left pane.

  4. Click on SAML v2.0 image

  5. Enter details, note Alias value is used as kc_idp_hint for redirected to appropriate IDP. image

  6. Export and save Keycloak, SAML 2.0 Service Provider Metadata. This will be required in Step#6 to setup Gluu SAML Trust Relationship. image

image

  1. Set Use entity descriptor to Off. image

  2. Import config from file, upload the Gluu SAML IDP metadata file saved in Step#1. image

  3. Manually update Service provider entity ID. Example https://<gluu.server>/idp/shibboleth image

  4. Save the details.

Step 5: Create a KC Client If using Tarp this step can be avoided

  1. Login as admin

  2. Create OpenID Connect Client and Save the Client. image

  3. Set the Access Type to Confidential image

  4. Set Root URL and Valid redirect URI of the IDP. Example https://<gluu.server>/identity image

Step 6: Trust Relationship in Gluu SAML

  1. Login as Gluu admin tool.

  2. Create SAML Trust relationship.

  3. Set Entity Type as Single SP.

  4. Set Metadata Location as File.

  5. Upload Keycloak SAML 2.0 Service Provider Metadata that was saved in Step#4 image

  6. Save Trust Relationship.

Step 7: Create Gluu users

  1. Login as Gluu admin tool.
  2. Click on Manage People and Add User image

Step 8: Keycloak setting for testing

  1. Login to KC admin console
  2. Go to Clients -->Client registration-->Client details-->Trusted Hosts and set Trusted Hosts to required value.
  3. Go to Client scopes and create OpenID scope of Optional assigned type.

Step 9: Testing using Tarp

  1. Install Tarp, check details here.
  2. Open Tarp extension.
  3. Enter URL of Keycloak OpenID configuration. Example http:///realms/keycloak-external-broker/.well-known/openid-configuration.
  4. Click Register.
  5. Registered Client details are displayed, enter Additional Params to hint Keycloak about IDP to be trigger. Example {"kc_idp_hint":"gluu-saml-idp-1"}
  6. Click "Trigger Auth Code Flow.
  7. This should redirect to IDP login page.
  8. Enter user details and login.
Clone this wiki locally