Follow the Step-by-Step Guide given below for Bitbucket Single Sign On (SSO) using Jboss Keycloak as IdP

STEP 1: Configuring Jboss Keycloak as IdP

• In your Keycloak admin console, select the realm that you want to use.
• From left menu, select Clients.
• Create a new client/application. Configure the following:
  
  

  Client ID	The SP-EntityID / Issuer from the step 1 of the plugin under Configure IDP tab.
  Name	Provide a name for this client (Eg. Bitbucket)
  Description	Provide a description (Eg. Bitbucket site)
  Enabled	ON
  Client Protocol	SAML
  Include AuthnStatement	ON
  Sign Documents	ON
  Sign Assertions	ON
  Signature Algorithm	RSA_SHA256
  Canonicalization Method	EXCLUSIVE
  Force Name ID Format	ON
  Name ID Format	Email
  Root URL	The ACS (Assertion Consumer Service) URL from the step 1 of the plugin under Configure IDP tab.
  Valid Redirect URIs	The ACS (Assertion Consumer Service) URL from the step 1 of the plugin under configure IDP tab.

  
  
• Under Fine Grain SAML Endpoint Configuration, configure the following:
  
  

  Assertion Consumer Service POST Binding URL	The ACS (Assertion Consumer Service) URL from the step 1 of the plugin under Configure IDP tab.
  Logout Service Redirect Binding URL	The Single Logout URL from the step 1 of the plugin under Configure IDP tab.

• Click on Save.

STEP 2: Configuring Bitbucket as SP

• Go to, http://<YOUR_DOMAIN>>/auth/realms/{YOUR_REALM}/protocol/saml/descriptor. This will open an XML in the browser.
• In miniOrange SAML plugin, go to Configure SP Tab. Enter the following values:
  
  

  IDP Entity ID:	Search for entityID. Enter it's value in this textbox.
  Single Sign On URL:	Search for SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect". Enter the Location value in the textbox.
  Single Logout URL:	Search for: SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST". Enter the Location value in the textbox.
  X.509 Certificate:	Enter the X509Certificate tag value in this textbox.

  
  
  
• In miniOrange SAML plugin, go to Attribute Mapping tab. Enter the following values:
  
  

  Username:	Name of the username attribute from IDP (Keep Username as NameID by default)
  Email:	Name of the email attribute from IDP (Keep Email as NameID by default)
  FirstName:	Name of the firstname attribute from IDP
  LastName:	Name of the lastname attribute from IDP




• Go to Group Mapping tab. Enter the following values:

Group Mapping

Name of the Group attribute from IDP

• You can check the Test Configuration Results to get a better idea of which values to map here.
• Under the Group Mapping Section, configure which GROUP value coming in the SAML response needs to be mapped to which group. The Group value coming in the SAML response will be mapped to the Group assigned here and the user will be assigned that group.



• Go to Sign In Settings tab. Enable auto-redirect to IDP using Disable Bitbucket login option.

For further details refer :
" https://github.com/camunda/camunda-sso-jboss"
" https://muhammadkhojaye.blogspot.in/2017/02/securing-applications-single-sign-on.html "