Skip to main content

Search

Configuring SAML: Keycloak

Introduction

Enable Single Sign-On from Keycloak to your Canary Console with these steps.

 

Step 1: SAML parameters

Login to your Console, click the green Gear Icon on the top right hand side of your screen, select "Global Settings" and scroll down to the SAML section at the bottom of the page. You will find the info for your Console (pictured below) that you'll need later:

Step 2: Keycloak clients configuration

Head over to your Keycloak Administration Console.

mceclip0.png

With your desired realm selected, select Clients and then Create client.

mceclip1.png

Within our new client, configure the following fields.

Client Type - SAML

Client ID - Your unique SP Entity ID URL received from the Canary Console.

Name - A friendly name.

Always display in console - On

Go ahead and click on Save when complete.

mceclip2.png

Configure the below fields under Access settings.

Root URL - Your unique SP Entity ID URL received from the Canary Console.

Valid redirect URIs - Your unique ACS (Login URL) received from the Canary Console.

mceclip3.png

Configure the following fields under SAML capabilities and Signature and Encryption.

Name ID format - email

Sign documents - Off

Sign assertions - On

Go ahead and click Save when complete.

mceclip0.png

Head over to the Keys tab.

Disable the Signing keys config toggle.

mceclip5.png

Head over to the Advanced tab.

Configure the following fields under Fine Grain SAML Endpoint Configuration

Assertion Consumer Service Redirect Binding URL - Your unique ACS (Login URL) received from the Canary Console.

mceclip11.png

Step 3: Assigning users to the Canary Console

Head over to the Roles tab, then select Create role.

mceclip6.png

Enter a friendly Role name, then click Save.

mceclip7.png

Head over to Users pane, then select the user you'd like to assign access to.

mceclip8.png

Select the Role mapping tab, then select Assign role.

mceclip9.png

In the new pop up window, Filter by clients and check the Canary Console's role created earlier.

Select Assign to move on to the next steps.

mceclip10.png

Step 4: SAML Metadata XML

The Canary Support team will need your Keycloak Metadata file.

Head over to the Realm settings pane.

Select the General tab.

Right click on the SAML 2.0 Identity Provider Metadata hyperlink, and select Save Link As...

The downloaded saml_metadata.xml file can now be sent to the Canary Support team at support@canary.tools, to be added to your Console.

mceclip12.png

 

Step 5: Login Test

You'll know it's working when you see your Console Login page show a "Login with SSO" button:

Screenshot_2021-06-21_at_14.30.25.png

Clicking the link will initiate SSO login.

mceclip13.png

You're done! ;-)

Was this article helpful?
1 out of 1 found this helpful
Return to top