Single Sign-on for Keycloak

Overview

Keycloak is an open-source identity and access management solution that integrates with cloud, on-premises, and mobile applications. This setup connects Keycloak as the Identity Provider to Security Journey’s SSO service as the Service Provider. 

Configure Keycloak as the Identity Provider (IdP)

Step 1: Select Your Realm and Go to Clients

1. Open your Keycloak Admin Console

2. Select the realm you want to use

3. From the left navigation, select Clients

Step 2: Create a New Client/Application

Create a new client and configure the following settings:

• Client ID: urn:amazon:cognito:sp:us-east-1_CHi5tsM8X

• Name: Security Journey

• Description: Security Journey

• Enabled: ON

• Consent Required: OFF

• Client Protocol: saml

• Include AuthnStatement: ON

• Include OneTimeUse Condition: OFF

• Force Artifact Binding: OFF

• Sign Documents: ON

• Optimize REDIRECT signing key lookup: OFF

• Sign Assertions: ON

• Signature Algorithm: RSA_SHA256

• SAML Signature Key Name: NONE

• Canonicalization Method: EXCLUSIVE

• Encrypt Assertions: OFF

• Client Signature Required: OFF

• Force POST Binding: ON

• Front Channel Logout: OFF

• Force Name ID Format: ON

• Name ID Format: Email

• Root URL: https://auth.hackedu.com/saml2/idpresponse

• Valid Redirect URIs: https://my.securityjourney.com/* 

After entering these values, click Save.

Upload the Metadata File to Security Journey

Step 3: Export Metadata from Keycloak

1. In your Keycloak client, go to the Installation tab

2. Choose the SAML Metadata IDPSSODescriptor format option

3. Download the exported metadata.xml 

Step 4: Upload Metadata in Security Journey

Upload your metadata file in Security Journey by navigating to:

Admin → Settings

Additional Resources

Additional instructions can be found in KeyCloak's Documentation.