Security Journey

Keycloak is an open source identity and access management technology that integrates with applications in the cloud, on-premises, or on a mobile device. This documentation describes how to configure a single sign-on integration between Keycloak as the Identity Provider (IdP) and the Single Sign-On Service (SSO) for Security Journey as the Service Provider (SP).

All SSO communication takes place over TLS/SSL.

In your Keycloak admin console, select the realm that you want to use.

Create a new client/application. Configure the following:

Client ID: <code>urn:amazon:cognito:sp:us-east-1_CHi5tsM8X</code>

Include OneTimeUse Condition: <code>OFF</code>

Optimize REDIRECT signing key lookup: <code>OFF</code>

Signature Algorithm: <code>RSA_SHA256</code>

SAML Signature Key Name: <code>NONE</code>

Canonicalization Method: <code>EXCLUSIVE</code> 

Client Signature Required: <code>OFF</code>

Root URL: <code> https://auth.hackedu.com/saml2/idpresponse </code>

Valid Redirect URIs: <code> https://app.hackedu.com/* </code>

- Client ID: <code>urn:amazon:cognito:sp:us-east-1_CHi5tsM8X</code>
- Name: Security Journey
- Description: Security Journey
- Enabled: <code>ON</code>
- Consent Required: <code>OFF</code>
- Client Protocol: <code>saml</code>
- Include AuthnStatement: <code>ON</code>
- Include OneTimeUse Condition: <code>OFF</code>
- Force Artifact Binding: <code>OFF</code>
- Sign Documents: <code>ON</code>
- Optimize REDIRECT signing key lookup: <code>OFF</code>
- Sign Assertions: <code>ON</code>
- Signature Algorithm: <code>RSA_SHA256</code>
- SAML Signature Key Name: <code>NONE</code>
- Canonicalization Method: <code>EXCLUSIVE</code> 
- Encrypt Assertions: <code>OFF</code>
- Client Signature Required: <code>OFF</code>
- Force POST Binding: <code>ON</code>
- Front Channel Logout: <code>OFF</code>
- Force Name ID Format: <code>ON</code>
- Name ID Format: <code>Email</code> 
- Root URL: <code> https://auth.hackedu.com/saml2/idpresponse </code>
- Valid Redirect URIs: <code> https://app.hackedu.com/* </code>

Automatically Sync Teams to HackEDU (optional)

If you want to automatically sync Teams from your SSO provider to HackEDU, <a href="https://help.securityjourney.com/en/articles/3117540-automatically-assign-users-to-teams-with-sso" rel="nofollow noopener noreferrer" target="_blank">follow these instructions</a>.

Export a metadata.xml file from your Keycloak client. From the Installation tab, choose the SAML Metadata IDPSSODescriptor format option and download your file.

<a href="https://help.securityjourney.com/en/articles/3117525-how-to-manage-single-sign-on" rel="nofollow noopener noreferrer" target="_blank">You can follow the instructions on this page to upload your Metadata File in the HackEDU Admin Dashboard.</a>

Additional instructions can be found in <a href="https://www.keycloak.org/docs/latest/server_admin/#saml-clients" rel="nofollow noopener noreferrer" target="_blank">KeyCloak's Documentation</a>.

Configuring Keycloak

Configuring Keycloak as IdP

Automatically Sync Teams to HackEDU (optional)

Upload HackEDU Metadata File

Additional Resources