SAML | Configure KeyCloak as IDP

SAML | Configure KeyCloak as IDP

Setting up KeyCloak

  1. Download KeyCloak from their official website (Used v25 here).
  2. Open conf/keycloak.conf and enter the hostname
  3. Run sh kc.sh start-dev
  4. Create a user and login at http://localhost:8080

Setting up the IDP:

  1. To enable logging, go to Realm Settings → Events → User Events Settings and turn them on.


  1. Download the metadata from SDP and go to Clients → Import client and drop this xml file.
  2. Turn off Client signature required and Import and then choose the NameID format and click Save.
  3. Go to Client scopes and remove the default role_list (as this gives multiple "role" attribute which causes error code 37)
  4. Choose the scope for your app ME_xxxx and click User Attribute Mapper For NameID while adding a new mapper.
  5. Configure the NameID format and the value cross checking the attribute name from Realm settings → User profile.

  1. For additional attributes, choose User Property, give display name, and the SAML Attribute Name (to be entered in SDP)
  1. Signing if required can be configured under the Keys section.

Setting up SDP

  1. In KeyCloak, Go to Realm Settings → Endpoints → SAML 2.0 Identity Provider Metadata and copy the URL from urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect to be entered in SDP as Login URL
  2. Copy the X509Certificate string and replace the middle part of a newly download .cer file from SDP and upload it to SDP.
  3. In SDP, Choose the Name ID format and algorithm as you saw in KeyCloak.
  4. For additional attributes, enter the SAML Attribute Name that you copied earlier.
  5. KeyCloak expects redirect binding, so run the following query and restart SDP:
update samlidp set binding='Redirect';

                  New to ADSelfService Plus?

                    • Related Articles

                    • InResponseTo attribute in SAML Response is missing

                      Issue: Every SAML request has an ID and every SAML response should return this ID with the name InResponseTo. Most of the popular IDPs return this is now required to be verified. Response without InResponseTo: Expected Response: Solution: If your ...
                    • SAML with ICAM as IdP in ServiceDesk Plus

                      The SAML NameID policy must either be unspecified (urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified) or emailAddress (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress). WantAssertionsSigned="true" AND AuthnRequestsSigned="true" must be set ...
                    • Configuring SAML with ADFS

                      Step 1: Open the ADFS management application Step 2: Right-click Relying Party trust and choose Add Relying Party Trust. The Add Relying Party Trust Wizard opens. Step 3: Choose Claims Aware and click Start Step 4: Choose Enter data about the relying ...
                    • SAML FAQ's

                      Please find the list of frequently asked queries in SAML 1. I have enabled SAML but still could not find a way to log in using SAML Since the application has multi-tenant feature there are certain security added to the SAML login. In a SAML ...
                    • How to configure SAML with Azure AD

                      This guide will help us configure SAML for users who want to use Azure AD as their IdP and also give you insights on a few issues that you might run into while configuring SAML in an Azure Environment. In an ideal environment, customers will have an ...