Follow the Step-by-Step Guide given below for Bitbucket Single Sign On (SSO) using Jboss Keycloak as IdP
STEP 1: Configuring Jboss Keycloak as IdP
- In your Keycloak admin console, select the realm that you want to use.
- From left menu, select Clients.
- Create a new client/application. Configure the following:
Client ID |
The SP-EntityID / Issuer from the step 1 of the plugin under Configure IDP tab. |
Name |
Provide a name for this client (Eg. Bitbucket) |
Description |
Provide a description (Eg. Bitbucket site) |
Enabled |
ON |
Client Protocol |
SAML |
Include AuthnStatement |
ON |
Sign Documents |
ON |
Sign Assertions |
ON |
Signature Algorithm |
RSA_SHA256 |
Canonicalization Method |
EXCLUSIVE |
Force Name ID Format |
ON |
Name ID Format |
Email |
Root URL |
The ACS (Assertion Consumer Service) URL from the step 1 of the plugin under Configure IDP tab. |
Valid Redirect URIs |
The ACS (Assertion Consumer Service) URL from the step 1 of the plugin under configure IDP tab. |

- Under Fine Grain SAML Endpoint Configuration, configure the following:
Assertion Consumer Service POST Binding URL |
The ACS (Assertion Consumer Service) URL from the step 1 of the plugin under Configure IDP tab. |
Logout Service Redirect Binding URL |
The Single Logout URL from the step 1 of the plugin under Configure IDP tab. |
- Click on Save.
STEP 2: Configuring Bitbucket as SP
- Go to, http://<YOUR_DOMAIN>>/auth/realms/{YOUR_REALM}/protocol/saml/descriptor. This will open an XML in the browser.
- In miniOrange SAML plugin, go to Configure SP Tab. Enter the following values:
IDP Entity ID: |
Search for entityID. Enter it's value in this textbox. |
Single Sign On URL: |
Search for SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect". Enter the Location value in the textbox. |
Single Logout URL: |
Search for: SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST". Enter the Location value in the textbox. |
X.509 Certificate: |
Enter the X509Certificate tag value in this textbox. |

- In miniOrange SAML plugin, go to Attribute Mapping tab. Enter the following values:
Username: |
Name of the username attribute from IDP (Keep Username as NameID by default) |
Email: |
Name of the email attribute from IDP (Keep Email as NameID by default) |
FirstName: |
Name of the firstname attribute from IDP |
LastName: |
Name of the lastname attribute from IDP |

- Go to Group Mapping tab. Enter the following values:
Group Mapping |
Name of the Group attribute from IDP |
- You can check the Test Configuration Results to get a better idea of which values to map here.
- Under the Group Mapping Section, configure which GROUP value coming in the SAML response needs to be mapped to which group. The Group value coming in the SAML response will be mapped to the Group assigned here and the user will be assigned that group.

- Go to Sign In Settings tab. Enable auto-redirect to IDP using Disable Bitbucket login option.

For further details refer :
" https://github.com/camunda/camunda-sso-jboss"
" https://muhammadkhojaye.blogspot.in/2017/02/securing-applications-single-sign-on.html "