DNN SAML Single Sign-On (SSO) with Keycloak as IDP

• After successful license activation, the plugin dashboard will open as shown below.

• In the plugin dashboard, click on the Service Provider Metadata button from the top menu. This will open the Service Provider Metadata page.
• Select the required NameID Format from the dropdown (for example, Email Address or Unspecified) based on your Identity Provider configuration, and click on the Save button to update the settings.
• The NameID Format defines which user identifier (such as email or username) will be sent during the SAML login process.

• Scroll down to the Share SAML Metadata section.

You can obtain the SAML SP metadata using either of the two methods described below to configure it on your Identity Provider end.

A] Using SAML metadata URL or metadata file

• On this page, you can find the Metadata URL as well as the option to download the SAML metadata XML file.
• Copy the Metadata URL or download the metadata file to configure the same on your Identity Provider end.
• You may refer to the screenshot below:

B] Uploading Metadata Manually

• On this page, you can manually copy the service provider metadata such as SP Entity ID, ACS URL, SP Logout Url and share it with your Identity Provider for configuration.
• You may refer to the screenshot below:

Steps to Configure Keycloak IdP

• In your Keycloak Admin console, select the realm that you want to use.
• Click on Clients from the left menu and then click on Create Client button to create a new client/application.

• Select SAML as Client type, Enter SP-EntityID / Issuer as the Client ID from the Service Provider Metadata tab, which you will get from Step 2B, enter Name of your application and enter Description.

• Click on the Next button.
• Provide the details as mentioned below:

Root URL	Leave empty or provide Base URL from Service Provider Metadata tab
Valid Redirect URIs	The ACS (Assertion Consumer Service) URL from the plugin's Service Provider Metadata tab

• Click on Save button.

• In the Settings tab under SAML capabilities section, configure Keycloak by providing the required details:

Force POST Binding	OFF
Force Name ID Format	OFF
Name ID Format	Email

• In the Keys tab, disable the Client signature required toggle.

• Click on the Save button.
• In Advanced tab, under Fine Grain SAML Endpoint Configuration, enter the following details:

Assertion Consumer Service POST Binding URL	The ACS (Assertion Consumer Service) URL from the plugin's Service Provider Metadata tab
Logout Service Redirect Binding URL (Optional)	The Single Logout URL from the plugin's Service Provider Metadata tab

• Click on Save button.

Add Mappers

Download setup file

You have successfully configured Keycloak as SAML IdP (Identity Provider) for achieving Keycloak SSO login into your DNN Site.

• Click on the Add new IDP button to configure a new Identity Provider.

• Under the Plugin Settings tab, select Keycloak as your identity provider from the list shown.

• After selecting your IdP from the list, the Identity Provider Settings page will open. Here, you can either click on the Upload IdP Metadata button to configure the Identity Provider automatically using metadata, or manually enter the required Identity Provider details under the Identity Provider Settings.

There are two ways detailed below with which you can configure your SAML Identity Provider metadata in the plugin.

A] Upload metadata using the Upload IDP Metadata button:

• Click Choose File to upload the metadata XML file using the Upload XML File option, then click Upload. Alternatively, provide the metadata URL in the Enter metadata URL section and click Fetch Metadata to retrieve the Identity Provider configuration automatically.
• You may refer to the screenshot below:

B] Configure the identity provider metadata manually:

• Alternatively, under the Identity Provider Settings tab, you can manually fill in the mandatory fields like IDP Name, IDP Entity ID and Single Sign-On URL and click Save Settings.

• After uploading the metadata details, navigate back to the Dashboard. Hover over the Select Actions dropdown next to the configured Identity Provider and click Test Configuration.

• On successful configuration, you will get attributes name and attribute values in the test configuration window.

Attribute Mapping

• After testing the configuration, Map your application attributes with the Identity Provider (IdP) attributes.

• From the Select Actions dropdown, choose Edit Configuration to open the Attribute Mapping settings.
• Map the required IdP attributes (such as Username, Email, Firstname, and Lastname) received in the SAML Response to their corresponding fields.

• Once the attributes are mapped, click Save to apply changes.

Default Role Mapping

• Navigate to the Default Role Mapping section and select the role you want to assign to users after successful SSO login from the Default Role dropdown.
• Choose the appropriate role (for example, Registered Users, Subscribers, or Administrators) and click on the Save button to apply the changes.

Advance IDP Settings

If you want to configure additional advanced settings, scroll up and click on the Advance IdP Settings button from the top menu.

Custom Attribute Mapping

• If you want to pass additional attributes from your IdP, enter the Attribute Name and corresponding Attribute Value under Custom Attribute Mapping.
• From the Attribute Value dropdown, select one of the attributes received in the Test Configuration results, for example: NameID.
• These attributes correspond to the values sent by your Identity Provider (IdP).

• In the Attribute Name field, enter the name of the DNN user attribute, it will get mapped to IDP attributes value during the SSO login.
• You can add multiple mappings if your application requires multiple attributes by clicking on the + button.
• After defining all the required mappings, click on Save Attribute Mapping to store the configuration.

• The plugin will translate the incoming SAML attributes from your Identity Provider (IdP) into the custom attribute names configured here for your DNN site.

Advance Role Mapping

• In the Advance Role Mapping section , enter the Group Attribute Name exactly as configured in your Identity Provider to fetch the user group information.
• Enter the Role Name received from the Identity Provider and map it to the appropriate Role Vaue field. In the Role Value field, enter the roles defined in your DNN site.
• For example: Map the IdP group Group1 or Group10 received under the UserGroups attribute to the corresponding role configured in your DNN site.
• After adding the required mappings, click on Save Role Mapping to save the configuration successfully.

Domain Restriction

• This feature can be used to restrict user access to the site based on the domain of their mapped “Email“ Attribute.
• In the Email Attribute field, enter the attribute name that contains the user's email address as received from your Identity Provider (IdP).

• In the Domain Name field, enter the domain(s) you want to allow or restrict, separated by commas if adding multiple domains.
• Enable the Restrict toggle based on your requirement to configure blacklist or whitelist access.
• After completing the configuration, click on Save to save the settings successfully.

Redirections After SSO and SLO

• In the Login Redirection section, enter the endpoint URL where users should be redirected after a successful SSO login.
• In the Logout Redirection section, specify the endpoint URL where users should be redirected after a successful logout (SLO), and click Save to update the configuration.

Modify SAML Request

• In the Modify SAML Request section, enter the required Parameter Name and Parameter Value, click the + button to add the parameter, and then click Save to apply the changes.

Additional Settings

• Enable Auto Register User to automatically create a new user account in DNN if the user does not already exist during SSO login.
• Enable Override Email Attribute to update the user’s email address in DNN with the email attribute received from the Identity Provider (IdP).
• Enable Find User By Email to allow the plugin to identify and match existing users in DNN using their email address.
• Enable Multiportal SSO if you want to allow Single Sign-On across multiple DNN portals using the same Identity Provider (IdP), then click Save to update the settings.

• Hover over the Select Actions dropdown next to the configured Identity Provider and click Copy SSO Link.
• Use this SSO link to initiate Single Sign-On (SSO) for users logging into your DNN portal.

• User gets logged in to the DNN site by entering the credentials of Keycloak.