Guide to Configure JBoss Keycloak with Drupal 8
Step 1: Setup Jboss Keyclock as Identity Provider
- In your Keycloak admin console, select the realm that you want to use.
- Click on the Clients from the left navigation bar.
- Click on create button at the top right corner and enter the following values to create a new client/application.
- Click on Save.
- Configure the following
- Under Fine Grain SAML Endpoint Configuration, configure the following:
- Click on Save.
- Add the following attributes in the Mappers tab.
- Click on Add Built-in and add the following option.
- Click on the Users from the left nav bar.
- Add a new user/view all users.
- Enter the username, valid email address and check on User Enabled.
- Click on Save.
| Client ID | SP-EntityID/Issuer from Service Provider Metadata |
|---|---|
| Client Protocol | SAML |
| Client SAML Endpoint (optional) | The ACS (Assertion Consumer Service) URL from Service Provider Metadata |
| Name | Provide a name for this client (Eg. Drupal 8) |
|---|---|
| Description (optional) | Provide a description |
| Enabled | ON |
| Consent Required | OFF |
| Client Protocol | SAML |
| Include AuthnStatement | ON |
| Sign Documents | ON |
| Optimize Redirect signing key lookup | OFF |
| Sign Assertions | ON |
| Signature Algorithm | RSA_SHA256 |
| Encrypt Assertion | OFF |
| Client Signature Required | OFF |
| Canonicalization Method | EXCLUSIVE |
| Force Name ID Format | ON |
| Name ID Format | |
| Root URL | Leave empty or Base URL of Service Provider |
| Valid Redirect URIs | The ACS (Assertion Consumer Service) URL from Service Provider Metadata |
| Assertion Consumer Service POST Binding UR | The ACS (Assertion Consumer Service) URL from Service Provider Metadata |
|---|---|
| Logout Service Redirect Binding URL | The Single Logout URL from Service Provider Metadata |
Add Mappers
Add User
Step 2: Configuring Drupal as Service Provider (SP)
- Click on the Realm Settings from the left nav bar and open SAML 2.0 Identity Provider Metadata.
OR
Go to, http://<<YOUR_DOMAIN>>/auth/realms/{YOUR_REALM}/protocol/saml/descriptor. These will open an XML in the browser.
- In miniOrange’s Drupal 8 SAML SP plugin, go to Service Provider Setup Tab. Enter the following values:
Identity Provider Name Provide an Identity Provider name (For Example: Keycloak). IdP Entity ID or Issuer Search for the entityID from IDP Metadata. Enter the Value in the Entity ID textbox. SAML Login URL Search for SingleSignOnService Binding ”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” from IDP Metadata. Enter the location value in the SAML Login URL textbox. SAML Logout URL (Optional) Search for SingleLogoutService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” from IDP Metadata. Enter the location value in the SAML Login URL textbox. X.509 Certificate (Optional) Search for the X.509 Certificate from IDP Metadata. Enter the tag value in Certificate textbox. Enable login with SAML Checked Signed SSO and SLO Requests Unchecked - Click on Save Configuration.
- Test the configuration after successful saving.
Step 3: Attribute Mapping. (It is Optional to fill this). This is a Premium feature.
- Attributes are user details that are stored in your Identity Provider.
- Attribute Mapping helps you to get user attributes from your Identity Provider (IdP) and map them to Drupal 8 user attributes like firstname, lastname etc.
- While auto registering the users in your Drupal site these attributes will automatically get mapped to your Drupal 8 user details.
- In miniOrange SAML Module, go to Mapping tab and fill in all the fields.
- You can check the Test Configuration Results under Service Provider Setup tab to get a better idea of which values to map here.
| Username: | Name of the username attribute from IdP (Keep NameID by default) |
|---|---|
| Email: | Name of the email attribute from IdP (Keep NameID by default) |
| Group/Role Key: | Name of the Role attribute from Identity Provider (IdP) |
Step 4: Role Mapping (It is Optional to fill this). This is Premium feature.
- Drupal 8 uses a concept of Roles, designed to give the site owner the ability to control what users can and cannot do within the site.
- Role mapping helps you to assign specific roles to users of a certain group in your Identity Provider (IdP).
- While auto registering, the users are assigned roles based on the group they are mapped to.
Step 5: Sign In Setting. This is Premium feature.
- Go to SIGN IN Settings Tab. There are multiple features available in this tab like Protect your whole site, Auto redirect the user to Identity Provider and Backdoor Login. To use these features, click on the respective checkboxes.
×
![]()
If you are looking for anything which you cannot find, please drop us an email on info@xecurify.com