Hello there!
Need Help? We are right here!
Need Help? We are right here!
Search Results:
×Configure Keycloak as IDP to Single Sign-On (SSO) into multiple applications using Keycloak as SAML IDP (Identity Provider). In this case miniOrange will act as a identity broker between your app (SP) and Keycloak (IDP) while providing additional features like MFA, Adaptive Authentication, Provisioning, Role Based access, Attribute Filtering, Cross Protocol Support etc. Follow the step-by-step guide below to set up Keycloak as SAML Identity Provider in miniOrange. Once configured successfully you will be ready to securely access your website/application using Keycloak IDP with only one set of credentials.
miniOrange offers free help through a consultation call with our System Engineers to configure SSO for different apps using Keycloak as IDP in your environment with 30-day free trial.
For this, you need to just send us an email at idpsupport@xecurify.com to book a slot and we'll help you in no time.
Mentioned below are steps to configure Keycloak as IDP via SAML and OAuth configuration. Follow the steps accordingly based on your requirement (SAML or OAuth).
| Client Id | EntityID / Issuer |
| Endpoints | ACS Url |
| Client ID | The SP-EntityID / Issuer from the plugin's Service Provider Metadata tab |
| Name | Provide a name for this client |
| Description | Provide a description |
| Client Signature Required | OFF |
| Force POST Binding | OFF |
| Force NameID format | OFF |
| NameID format | |
| Root URL | Leave empty or Provide Base URL from Service Provider Metadata tab |
| Valid Redirect URIs | The ACS (Assertion Consumer Service) URL from the plugin's Service Provider Metadata tab |
| Assertion Consumer Service POST Binding URL | ACS Url |
| Logout Service Redirect Binding URL | Single Logout Url |
NOTE : Disabling Temporary will make user password permanent.
Note: -- If full path is on group path will be fetched else group name will be fetched.
Follow the steps to configure Keycloak as IdP by OAuth configuration.
| IdP Name | Custom Provider |
| IdP Display Name | Choose appropriate Name |
| OAuth Authorize Endpoint | https://{your-base-url}/as/authorization.oauth2 | OAuth Access Token Endpoint | https://{your-base-url}/as/token.oauth2 | OAuth Get User Info Endpoint (optional) | https://{your-base-url}/idp/userinfo.oauth2 |
| Client ID | From step 1 |
| Client secret | From step 1 |
| Scope | auto |
If you have already configured your application in miniOrange you can skip the following steps.
| Service Provider Name | Choose appropriate name according to your choice |
| SP Entity ID or Issuer | Your Application Entity ID |
| ACS URL X.509 Certificate (optional) | Your Application Assertion Consumer Service URL |
| NameID format | Select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
| Response Signed | Unchecked |
| Assertion Signed | Checked |
| Encrypted Assertion | Unchecked |
| Group policy | Default |
| Login Method | Password |
| Client Name | Add appropriate Name |
| Redirect URL | Get the Redirect-URL from your OAuth Client |
| Description | Add if required |
| Group Name | Default |
| Policy Name | As per your Choice |
| Login Method | Password |
Note: Choose the Authorization Endpoint according to the identity source you configure.
https://{mycompany.domainname.com}/moas/idp/openidssohttps://{mycompany.domainname.com}/broker/login/oauth{customerid}
In case you are setting up SSO with Mobile Applications where you can't create an endpoint for Redirect or Callback URL, use below URL.
https://login.xecurify.com/moas/jwt/mobile
