| Next revision | Previous revision |
| en:2.0:single_sign_on:saml_keycloak [2025/05/11 00:55] – created kainhofer | en:2.0:single_sign_on:saml_keycloak [2025/05/11 02:15] (current) – [Multiple SSO providers for the same account] kainhofer |
|---|
| {{ :en:2.0:sso:sso_saml_keycloak_04d_config_admidio_mapping.png?direct&400 |}} | {{ :en:2.0:sso:sso_saml_keycloak_04d_config_admidio_mapping.png?direct&400 |}} |
| |
| However, as there is no specification of the meaning of particular SAML attributes, Keycloak by default does map those fields to its user's profile data. One can, however, set up attribute mappers in Keycloak to use certain SAML attributes and assign them to the user's profile. | Unfortunately, there is no specification of the meaning of particular SAML attributes, so Keycloak by default does map those fields to its user's profile data. One can set up attribute mappers in Keycloak to use SAML attributes and assign them to the user's profile. |
| Go to the "Mappers" tab of the SAML provider in Keycloak and add new mappers of type "Attribute Importer". It is a good idea to choose "Force", which will always use the attribute value from Admidio and update the keycloak user on every login. The "Attribute Name" is the SAML attribute, while the "User Attribute Name" is Keycloak's profile field name. | Go to the "Mappers" tab of the SAML provider in Keycloak and add new mappers of type "Attribute Importer". It is a good idea to choose "Force", which will always update the keycloak user with the value from Admidio on every login. The "Attribute Name" is the SAML attribute, while the "User Attribute Name" is Keycloak's profile field name. |
| {{ :en:2.0:sso:sso_saml_keycloak_04c_config_mappers.png?direct&600 |}} | {{ :en:2.0:sso:sso_saml_keycloak_04c_config_mappers.png?direct&600 |}} |
| {{ :en:2.0:sso:sso_saml_keycloak_04e_config_keycloak_fieldmapping.png?direct&400 |}} | {{ :en:2.0:sso:sso_saml_keycloak_04e_config_keycloak_fieldmapping.png?direct&400 |}} |
| After choosing SAML login and loggin in with a user from Admidio, you should be logged in to Keycloak. | After choosing SAML login and loggin in with a user from Admidio, you should be logged in to Keycloak. |
| {{ :en:2.0:sso:sso_saml_keycloak_08_admidio_loginform.png?direct&400 |}} | {{ :en:2.0:sso:sso_saml_keycloak_08_admidio_loginform.png?direct&400 |}} |
| |
| If the account already exists (e.g. because you are in a hybrid setup with multiple identity providers, e.g. SAML and OpenID through Admidio), then Keycloak will ask for permission to add the SAML login to the existing account. The user must additionally log in to the existing account to prevent security issues: | |
| {{ :en:2.0:sso:sso_saml_keycloak_09_login_accountexists.png?direct&400 |}}{{ :en:2.0:sso:sso_saml_keycloak_10_login_link_login.png?direct&400 |}} | |
| |
| Your user should now be logged in and have the proper permissions/roles | Your user should now be logged in and have the proper permissions/roles |
| {{ :en:2.0:sso:sso_oidc_keycloak_10_linkedaccounts.png?direct&600 |}} | {{ :en:2.0:sso:sso_oidc_keycloak_10_linkedaccounts.png?direct&600 |}} |
| |
| | |
| | === Multiple SSO providers for the same account === |
| | If the account already exists (e.g. because you are in a hybrid setup with multiple identity providers, e.g. SAML and OpenID through Admidio), then Keycloak will ask for permission to add the SAML login to the existing account. The user must additionally log in to the existing account to prevent security issues: |
| | |
| | {{:en:2.0:sso:sso_saml_keycloak_09_login_accountexists.png?direct&400|}}{{:en:2.0:sso:sso_saml_keycloak_10_login_link_login.png?direct&400|}} |
| | |
| | {{ :en:2.0:sso:sso_oidc_keycloak_10_linkedaccounts.png?direct&800 |}} |
| |
| |
