SAML | Configure KeyCloak as IDP
Setting up KeyCloak
- Download KeyCloak from their official website (Used v25 here).
- Open conf/keycloak.conf and enter the hostname
- Run sh kc.sh start-dev
- Create a user and login at http://localhost:8080
Setting up the IDP:
- To enable logging, go to Realm Settings → Events → User Events Settings and turn them on.
- Download the metadata from SDP and go to Clients → Import client and drop this xml file.
- Turn off Client signature required and Import and then choose the NameID format and click Save.
- Go to Client scopes and remove the default role_list (as this gives multiple "role" attribute which causes error code 37)
- Choose the scope for your app ME_xxxx and click User Attribute Mapper For NameID while adding a new mapper.
- Configure the NameID format and the value cross checking the attribute name from Realm settings → User profile.
- For additional attributes, choose User Property, give display name, and the SAML Attribute Name (to be entered in SDP)
- Signing if required can be configured under the Keys section.
Setting up SDP
- In KeyCloak, Go to Realm Settings → Endpoints → SAML 2.0 Identity Provider Metadata and copy the URL from urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect to be entered in SDP as Login URL
- Copy the X509Certificate string and replace the middle part of a newly download .cer file from SDP and upload it to SDP.
- In SDP, Choose the Name ID format and algorithm as you saw in KeyCloak.
- For additional attributes, enter the SAML Attribute Name that you copied earlier.
- KeyCloak expects redirect binding, so run the following query and restart SDP:
update samlidp set binding='Redirect';
New to ADSelfService Plus?
Related Articles
Configuring SAML with ADFS
Step 1: Open the ADFS management application Step 2: Right-click Relying Party trust and choose Add Relying Party Trust. The Add Relying Party Trust Wizard opens. Step 3: Choose Claims Aware and click Start Step 4: Choose Enter data about the relying ...
SAML with ICAM as IdP in ServiceDesk Plus
The SAML NameID policy must either be unspecified (urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified) or emailAddress (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress). WantAssertionsSigned="true" AND AuthnRequestsSigned="true" must be set ...
InResponseTo attribute in SAML Response is missing
Issue: Every SAML request has an ID and every SAML response should return this ID with the name InResponseTo. Most of the popular IDPs return this is now required to be verified. Response without InResponseTo: Expected Response: Solution: If your ...
SAML | Multiple Login URLs for SAML Response
Issue: Even if SDP can be accessed with multiple URLs like internal.servicedesk.com and external.servicedesk.com, the SAML response is always received at the same URL that is configured in Alias URL. Fix: The acs_url column in the SAMLSP table can be ...
SAML FAQ's
Please find the list of frequently asked queries in SAML 1. I have enabled SAML but still could not find a way to log in using SAML Since the application has multi-tenant feature there are certain security added to the SAML login. In a SAML ...