Keycloak saml sso docs #50819
Keycloak saml sso docs #50819
Conversation
|
Amplify deployment status
|
github-actions
bot
requested review from
mmcallister,
nklaassen,
ptgott,
r0mant,
xinding33 and
zmb3
oshati
requested review from
programmerq
and removed request for
r0mant,
mmcallister,
zmb3,
nklaassen and
xinding33
| ## Step 1/3. Configure Keycloak | ||
|
|
||
| ### Create a SAML Client | ||
| 1. Select the Realm to be used for your SAML integration, Click **Clients** in the menu. |
There was a problem hiding this comment.
Should this be:
1. To select the realm to be used for your SAML integration, click **Clients** in the menu....or:
1. Select the realm to be used for your SAML integration. Click **Clients** in the menu.| and the client will sign their saml requests and responses. The signature will be validated. | ||
|
|
||
|
|
||
| ### Create Private Keys for Signing |
There was a problem hiding this comment.
| ### Create Private Keys for Signing | |
| ### Create private keys for signing |
|
|
||
| (!docs/pages/includes/sso/loginerrortroubleshooting.mdx!) | ||
|
|
||
| Keycloak auth connector - Signature Validation Incompatibility |
There was a problem hiding this comment.
| Keycloak auth connector - Signature Validation Incompatibility | |
| ### Signature validation incompatibility |
To add heading syntax and shorten the heading
|
|
||
|  | ||
|
|
||
| **Keycloak server logs:** |
There was a problem hiding this comment.
Is this a separate heading? If so, I would use the ### <HEADING> syntax. Otherwise, I would use a sentence to transition from the preceding text.
|  | ||
|
|
||
| This enables using the username inside Teleport roles as the <nobr>`{{external.username}}`</nobr> property. | ||
|
|
There was a problem hiding this comment.
I installed a fresh Keycloak 26.0.7, and stepped through the guide. Teleport expected the SAML IDP to sign its assertions. I had to explicitly enable that in "Client details -> Settings -> Signature and Encryption -> Sign assertions". Note that this is separate from the section titled "Client Certificate Signature validation (Optional)"
Without that toggle enabled, I got the following in my Teleport Audit Log:
SSO user login failed [received response with incorrect or missing attribute statements, please check the identity provider configuration to make sure that mappings for claims/attribute statements are set up correctly. <See: https://goteleport.com/docs/admin-guides/access-controls/sso/>, failed to retrieve SAML assertion info from response: error validating response: response and/or assertions must be signed.]
There was a problem hiding this comment.
Thanks Jeff! A little different behaviour on my Keycloak server 25.0.1. As it works without enabling "Sign assertions".
Although I wonder if the reason for that is the below, based on the additional information for Sign assertion?
Should assertions inside SAML documents be signed? This setting is not needed if document is already being signed.
| ## Step 2/3. Create a SAML connector | ||
|
|
||
| Now, create a SAML connector resource using `tctl`. | ||
|
|
There was a problem hiding this comment.
Keycloak includes an explicit leading / in the group name. This should read --attributes-to-roles groups,/devops,dev. It would also be appropriate to call more attention to the /, or how to find out what your group names actually are in Keycloak. A screenshot of the keycloak users/groups screen could also be handy, but I don't think our other SSO guides go to that level of detail.
Co-authored-by: Paul Gottschling <[email protected]>
Closes #14490
This guide cover how to configure Keycloak SAML sso setup with Teleport