Follow the Step-by-Step Guide given below for Bitbucket Single Sign On (SSO) using Jboss Keycloak as IdP
STEP 1: Configuring Jboss Keycloak as IdP
- In your Keycloak admin console, select the realm that you want to use.
- From left menu, select Clients.
- Create a new client/application. Configure the following:
Client ID The SP-EntityID / Issuer from the step 1 of the plugin under Configure IDP tab. Name Provide a name for this client (Eg. Bitbucket) Description Provide a description (Eg. Bitbucket site) Enabled ON Client Protocol SAML Include AuthnStatement ON Sign Documents ON Sign Assertions ON Signature Algorithm RSA_SHA256 Canonicalization Method EXCLUSIVE Force Name ID Format ON Name ID Format Email Root URL The ACS (Assertion Consumer Service) URL from the step 1 of the plugin under Configure IDP tab. Valid Redirect URIs The ACS (Assertion Consumer Service) URL from the step 1 of the plugin under configure IDP tab. 
- Under Fine Grain SAML Endpoint Configuration, configure the following:
Assertion Consumer Service POST Binding URL The ACS (Assertion Consumer Service) URL from the step 1 of the plugin under Configure IDP tab. Logout Service Redirect Binding URL The Single Logout URL from the step 1 of the plugin under Configure IDP tab. - Click on Save.
STEP 2: Configuring Bitbucket as SP
- Go to, http://<YOUR_DOMAIN>>/auth/realms/{YOUR_REALM}/protocol/saml/descriptor. This will open an XML in the browser.
- In miniOrange SAML plugin, go to Configure SP Tab. Enter the following values:
IDP Entity ID: Search for entityID. Enter it's value in this textbox. Single Sign On URL: Search for SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect". Enter the Location value in the textbox. Single Logout URL: Search for: SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST". Enter the Location value in the textbox. X.509 Certificate: Enter the X509Certificate tag value in this textbox. 
- In miniOrange SAML plugin, go to Attribute Mapping tab. Enter the following values:
Username: Name of the username attribute from IDP (Keep Username as NameID by default) Email: Name of the email attribute from IDP (Keep Email as NameID by default) FirstName: Name of the firstname attribute from IDP LastName: Name of the lastname attribute from IDP - Go to Group Mapping tab. Enter the following values:
- You can check the Test Configuration Results to get a better idea of which values to map here.
- Under the Group Mapping Section, configure which GROUP value coming in the SAML response needs to be mapped to which group. The Group value coming in the SAML response will be mapped to the Group assigned here and the user will be assigned that group.
- Go to Sign In Settings tab. Enable auto-redirect to IDP using Disable Bitbucket login option.
| Group Mapping | Name of the Group attribute from IDP |
For further details refer :
" https://github.com/camunda/camunda-sso-jboss"
" https://muhammadkhojaye.blogspot.in/2017/02/securing-applications-single-sign-on.html "