Skip to main content

Search

Configuring SAML: Keycloak

How to configure Keycloak as a SAML Identity Provider (IdP) for your Canary Console, including setting up SAML parameters, creating a Keycloak client, assigning user roles, exporting metadata, and testing Single Sign-On (SSO).

Enable Single Sign-On from Keycloak to your Canary Console with these steps.

Step 1: SAML parameters

Log in to your Console, click the green Gear Icon on the top right-hand side of your screen, select Global Settings, and scroll down to the SAML section at the bottom of the page. You will find the info for your Console (pictured below) that you'll need later:

SAML Parameters

Step 2: Keycloak clients configuration

Head over to your Keycloak Administration Console. With your desired realm selected, select Clients and then Create client.

Keycloak Create Client

Within our new client, configure the following fields:

  • Client Type: SAML
  • Client ID: Your unique SP Entity ID URL received from the Canary Console.
  • Name: A friendly name.
  • Always display in Console: On

Click Save when complete.

Client Configuration

Configure the fields below under Access settings:

  • Root URL: Your unique SP Entity ID URL received from the Canary Console.
  • Valid redirect URIs: Your unique ACS (Login URL) received from the Canary Console.
Access Settings

Configure the following fields under SAML capabilities and Signature and Encryption:

  • Name ID format: email
  • Sign documents: Off
  • Sign assertions: On

Click Save when complete.

SAML Capabilities

Head over to the Keys tab and disable the Signing keys config toggle.

Keys Tab

Head over to the Advanced tab and configure the following fields under Fine Grain SAML Endpoint Configuration:

  • Assertion Consumer Service Redirect Binding URL — Your unique ACS (Login URL) received from the Canary Console.
Advanced Tab

Step 3: Assigning users to the Canary Console

Head over to the Roles tab, then select Create role.

Create Role

Enter a friendly Role name, then click Save.

Role Name

Head over to Users pane, select the user you'd like to assign access to, then select the Role mapping tab and click Assign role.

Select User
Assign Role

In the pop-up, search for and check the Canary Console's role created earlier, then select Assign.

Assign Role Pop-up

Step 4: SAML Metadata XML

The Canary Support team will need your Keycloak Metadata file. Head over to the Realm settings pane, select the General tab, right-click on the SAML 2.0 Identity Provider Metadata hyperlink, and select Save Link As...

The downloaded saml_metadata.xml file can now be sent to the Canary Support team here to be added to your Console.

Download Metadata

Step 5: Login Test

You'll know it's working when your Console Login page shows a Login with SSO button:

Login with SSO

Clicking the link will initiate SSO login.

SSO Login
Was this article helpful?
1 out of 1 found this helpful
Return to top