Keycloak SSO Setup

This article outlines how to setup SSO with Keycloak

Rachel Yonan avatar
Written by Rachel Yonan
Updated over a week ago

Configuring Keycloak

Keycloak is an open source identity and access management technology that integrates with applications in the cloud, on-premises, or on a mobile device. This documentation describes how to configure a single sign-on integration between Keycloak as the Identity Provider (IdP) and the Single Sign-On Service (SSO) for Security Journey as the Service Provider (SP).

All SSO communication takes place over TLS/SSL.

Configuring Keycloak as IdP

In your Keycloak admin console, select the realm that you want to use.

From left menu, select Clients.

Create a new client/application. Configure the following:

  • Client ID: urn:amazon:cognito:sp:us-east-1_CHi5tsM8X

  • Name: Security Journey

  • Description: Security Journey

  • Enabled: ON

  • Consent Required: OFF

  • Client Protocol: saml

  • Include AuthnStatement: ON

  • Include OneTimeUse Condition: OFF

  • Force Artifact Binding: OFF

  • Sign Documents: ON

  • Optimize REDIRECT signing key lookup: OFF

  • Sign Assertions: ON

  • Signature Algorithm: RSA_SHA256

  • SAML Signature Key Name: NONE

  • Canonicalization Method: EXCLUSIVE 

  • Encrypt Assertions: OFF

  • Client Signature Required: OFF

  • Force POST Binding: ON

  • Front Channel Logout: OFF

  • Force Name ID Format: ON

  • Name ID Format: Email 

  • Root URL: 

  • Valid Redirect URIs:* 

Click on Save.

Screenshot of these settings:

Automatically Sync Teams to HackEDU (optional)

If you want to automatically sync Teams from your SSO provider to HackEDU, follow these instructions.

Upload HackEDU Metadata File

Export a metadata.xml file from your Keycloak client. From the Installation tab, choose the SAML Metadata IDPSSODescriptor format option and download your file.

Additional Resources

Additional instructions can be found in KeyCloak's Documentation.

Did this answer your question?