Drupal Keycloak SSO | SAML SSO Into Drupal Using Keycloak

Download Module

Drupal Keycloak SSO setup will allow your user to log in to your Drupal site using their Jboss Keycloak Credentials. The Drupal SAML module gives the ability to enable SAML Single Sign-On for Drupal. This module is compatible with all the SAML Identity Providers. Here, we will go through a guide to configure SAML SSO between Drupal as Service Provider and Keycloak as Identity Provider. By the end of this guide, users from Keycloak should be able to login into the Drupal site.

If you have any doubts or queries, you can contact us at drupalsupport@xecurify.com. We will help you to configure the module.

Step 1: Setup Jboss Keycloak as Identity Provider

In your Keycloak admin console, select the realm that you want to use.

Click on the Clients from the left navigation bar.
Click on create button at the top right corner and enter the following values to create a new client/application.

Client ID	SP-EntityID/Issuer from Service Provider Metadata
Client Protocol	SAML
Client SAML Endpoint (optional)	The ACS (Assertion Consumer Service) URL from Service Provider Metadata

Click on Save.
Configure the following

Name	Provide a name for this client (Eg. Drupal 8)
Description (optional)	Provide a description
Enabled	ON
Consent Required	OFF
Client Protocol	SAML
Include AuthnStatement	ON
Sign Documents	ON
Optimize Redirect signing key lookup	OFF
Sign Assertions	ON
Signature Algorithm	RSA_SHA256
Encrypt Assertion	OFF
Client Signature Required	OFF
Canonicalization Method	EXCLUSIVE
Force Name ID Format	ON
Name ID Format	Email
Root URL	Leave empty or Base URL of Service Provider
Valid Redirect URIs	The ACS (Assertion Consumer Service) URL from Service Provider Metadata

Under Fine Grain SAML Endpoint Configuration, configure the following:

Assertion Consumer Service POST Binding UR	The ACS (Assertion Consumer Service) URL from Service Provider Metadata
Logout Service Redirect Binding URL	The Single Logout URL from Service Provider Metadata

Click on Save.

Add Mappers

Add the following attributes in the Mappers tab.
Click on Add Built-in and add the following option.

Add User

Click on the Users from the left nav bar.
Add a new user/view all users.

Enter the username, valid email address and check on User Enabled.

Click on Save.

Step 2: Configuring Drupal as Service Provider (SP)

Click on the Realm Settings from the left nav bar and open SAML 2.0 Identity Provider Metadata.

OR

Go to, http://<<YOUR_DOMAIN>>/auth/realms/{YOUR_REALM}/protocol/saml/descriptor. These will open an XML in the browser.

In miniOrange’s Drupal 8 SAML SP plugin, go to Service Provider Setup Tab. Enter the following values:

Identity Provider Name	Provide an Identity Provider name (For Example: Keycloak).
IdP Entity ID or Issuer	Search for the entityID from IDP Metadata. Enter the Value in the Entity ID textbox.
SAML Login URL	Search for SingleSignOnService Binding ”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” from IDP Metadata. Enter the location value in the SAML Login URL textbox.
SAML Logout URL (Optional)	Search for SingleLogoutService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” from IDP Metadata. Enter the location value in the SAML Login URL textbox.
X.509 Certificate (Optional)	Search for the X.509 Certificate from IDP Metadata. Enter the tag value in Certificate textbox.
Enable login with SAML	Checked
Signed SSO and SLO Requests	Unchecked

Click on Save Configuration.
Test the configuration after successful saving.

Step 3: Attribute Mapping. (It is Optional to fill this). This is a Premium feature.

Attributes are user details that are stored in your Identity Provider.
Attribute Mapping helps you to get user attributes from your Identity Provider (IdP) and map them to Drupal 8 user attributes like firstname, lastname etc.
While auto registering the users in your Drupal site these attributes will automatically get mapped to your Drupal 8 user details.
In miniOrange SAML Module, go to Mapping tab and fill in all the fields.

Username:	Name of the username attribute from IdP (Keep NameID by default)
Email:	Name of the email attribute from IdP (Keep NameID by default)
Group/Role Key:	Name of the Role attribute from Identity Provider (IdP)

You can check the Test Configuration Results under Service Provider Setup tab to get a better idea of which values to map here.

Step 4: Role Mapping (It is Optional to fill this). This is Premium feature.

Drupal 8 uses a concept of Roles, designed to give the site owner the ability to control what users can and cannot do within the site.
Role mapping helps you to assign specific roles to users of a certain group in your Identity Provider (IdP).
While auto registering, the users are assigned roles based on the group they are mapped to.

Step 5: Sign In Setting. This is Premium feature.

Go to SIGN IN Settings Tab. There are multiple features available in this tab like Protect your whole site, Auto redirect the user to Identity Provider and Backdoor Login. To use these features, click on the respective checkboxes.

Step 1Setup Jboss Keycloak as Identity Provider
Step 2Configuring Drupal 8 as Service Provider (SP)
Step 3Attribute Mapping
Step 4Role Mapping
Step 5Sign In Setting

Free Trial

If you are looking for anything which you cannot find, please drop us an email on info@xecurify.com

Drupal Keycloak SSO | SAML SSO Into Drupal Using Keycloak

Step 1: Setup Jboss Keycloak as Identity Provider

Step 2: Configuring Drupal as Service Provider (SP)

Step 3: Attribute Mapping. (It is Optional to fill this). This is a Premium feature.

Step 4: Role Mapping (It is Optional to fill this). This is Premium feature.

Step 5: Sign In Setting. This is Premium feature.

Contents

STAY CONNECTED

Product

Solutions

Why miniorange

Company