Atlassian Partner, Wellington - EasySSO SAML with Keycloak Signed Requests

Configuration of EasySSO with signed POST requests, using KeyCloak v19 as an IdP

EasySSO Side

Set the IdP Metadata URL, and then click "load certificate"
Click to generate certificate
Set binding types to POST
Set to sign and verify signatures
Save the settings
Open the metadata.xml and save to desktop

KeyCloak Side

KeyCloak Client Scope

In KeyCloak Administration console, navigate to Client Scopes, click the "Create client scope" button
Set the name to EASY_SSO and protocol to SAML
Click save
Select the mappers tab
Configure a new mapper
Select User Property
Configure username user property
1. Name: username
2. Mapper Type: User Property
3. Property: username
4. Friendly Name: username
5. SAML Attribute Name: urn:oid:0.9.2342.19200300.100.1.1
6. Click Save
Configure Email user property
1. Name: email
2. Mapper Type: User Property
3. Property: email
4. Friendly Name: email
5. SAML Attribute Name: urn:oid:0.9.2342.19200300.100.1.3
6. Click Save
Configure first name user property
1. Name: firstName
2. Mapper Type: User Property
3. Property: firstName
4. Friendly Name: firstName
5. SAML Attribute Name: urn:oid:2.5.4.42
6. Click Save
Configure last name user property
1. Name: lastName
2. Mapper Type: User Property
3. Property: lastName
4. Friendly Name: lastName
5. SAML Attribute Name: urn:oid:2.5.4.4
6. Click Save
(Optional) Configure Groups group list property
1. Name: groups
2. Mapper Type: Group list
3. Group attribute name: urn:oid:2.5.4.31
4. Friendly Name: groups
5. Full group path: off
6. Click Save
The final EASY_SSO Client scope should look something like this

KeyCloak Client

In KeyCloak Administration console, navigate to clients, click the "Import client" button
Click browse and upload the metadata.xml file exported from EasySSO earlier
Ensure the Encrypt assertions is turned off, and that client signature required is turned on
Save setting for the imported file
In the client that has just been imported, open Client scopes
Click to add the EASY_SSO client scope configured earlier
On the client configuration general configuration page ensure the following settings
1. Sign documents is enabled
2. Sign assertions is enabled

Configuring Users

For users to successfully log in, they must also have permission to access the application. See EasySSO SAML JIT User Provisioning for more details.

EasySSO articles

EasySSO How to get the logs

NTLM/Kerberos Opt-out via Cookie

Are EasySSO Server Licenses Still Available to Purchase?

EasySSO NTLM FAQ

EasySSO with NTLM/Kererbos configuration

Styling SAML Login button

EasySSO SAML - Single Logout and Session Termination

EasySSO Privacy Policy

EasySSO with X.509 Authentication

EasySSO with SAML

EasySSO User-Agent Filtering

EasySSO SAML Message Signing and Verification

Parsing usernames functionality for SAML

EasySSO with Headers

EasySSO License Agreement

Filtering by Reverse Proxy IP Address

Does EasySSO SAML work with Strict SameSite Session Cookies?

EasySSO not working in Google Chrome

X.509 Authentication

EasySSO SAML with Azure AD

EasySSO with SAML - Configuration

EasySSO SAML with Okta

EasySSO SAML JIT User Provisioning

EasySSO with SAML - Time Skew parameter

EasySSO SAML with Azure AD with Signing, Validation and Encryption

EasySSO SAML with Azure AD

EasySSO SAML with PingOne

EasySSO SAML with ADFS

EasySSO SAML with SimpleSAMLphp

EasySSO SAML with Keycloak

EasySSO SAML with G Suite

Azure AD SAML Groups

User-Agent Filtering

User-Agent Filtering Use Case

Header-based Authentication

Advanced Configuration for EasySSO

Dual Licensing: EasySSO and IOPLEX Jespa

Try for free

EasySSO for Jira, Confluence, Bamboo, Bitbucket and Fisheye/Crucible

Try for free