Drupal Keycloak SSO | SAML SSO Into Drupal Using Keycloak

Drupal Keycloak SSO setup will allow your user to log in to your Drupal site using their Jboss Keycloak Credentials. The Drupal SAML module gives the ability to enable SAML Single Sign-On for Drupal. This module is compatible with all the SAML Identity Providers. Here, we will go through a guide to configure SAML SSO between Drupal as Service Provider and Keycloak as Identity Provider. By the end of this guide, users from Keycloak should be able to login into the Drupal site.

If you have any doubts or queries, you can contact us at drupalsupport@xecurify.com. We will help you to configure the module.

Step 1: Setup Jboss Keycloak as Identity Provider

  • In your Keycloak admin console, select the realm that you want to use.
  • Keycloak add realm
  • Click on the Clients from the left navigation bar.
  • Click on create button at the top right corner and enter the following values to create a new client/application.
  • Client ID SP-EntityID/Issuer from Service Provider Metadata
    Client Protocol SAML
    Client SAML Endpoint (optional) The ACS (Assertion Consumer Service) URL from Service Provider Metadata
    Create Client Add Client
  • Click on Save.
  • Configure the following
  • Name Provide a name for this client (Eg. Drupal 8)
    Description (optional) Provide a description
    Enabled ON
    Consent Required OFF
    Client Protocol SAML
    Include AuthnStatement ON
    Sign Documents ON
    Optimize Redirect signing key lookup OFF
    Sign Assertions ON
    Signature Algorithm RSA_SHA256
    Encrypt Assertion OFF
    Client Signature Required OFF
    Canonicalization Method EXCLUSIVE
    Force Name ID Format ON
    Name ID Format Email
    Root URL Leave empty or Base URL of Service Provider
    Valid Redirect URIs The ACS (Assertion Consumer Service) URL from Service Provider Metadata
  • Under Fine Grain SAML Endpoint Configuration, configure the following:
  • Assertion Consumer Service POST Binding UR The ACS (Assertion Consumer Service) URL from Service Provider Metadata
    Logout Service Redirect Binding URL The Single Logout URL from Service Provider Metadata
  • Click on Save.
  • App Settings

     Add Mappers

    • Add the following attributes in the Mappers tab.
    • Click on Add Built-in and add the following option.
    • Add Mappers

     Add User

    • Click on the Users from the left nav bar.
    • Add a new user/view all users.
    • Add Mappers
    • Enter the username, valid email address and check on User Enabled.
    • Add Mappers
    • Click on Save.

Step 2: Configuring Drupal as Service Provider (SP)

  • Click on the Realm Settings from the left nav bar and open SAML 2.0 Identity Provider Metadata.

    Install New Module

    Go to, http://<<YOUR_DOMAIN>>/auth/realms/{YOUR_REALM}/protocol/saml/descriptor. These will open an XML in the browser.

    Install New Module
  • In miniOrange’s Drupal 8 SAML SP plugin, go to Service Provider Setup Tab. Enter the following values:
    Identity Provider Name Provide an Identity Provider name (For Example: Keycloak).
    IdP Entity ID or Issuer Search for the entityID from IDP Metadata. Enter the Value in the Entity ID textbox.
    SAML Login URL Search for SingleSignOnService Binding ”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” from IDP Metadata. Enter the location value in the SAML Login URL textbox.
    SAML Logout URL (Optional) Search for SingleLogoutService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” from IDP Metadata. Enter the location value in the SAML Login URL textbox.
    X.509 Certificate (Optional) Search for the X.509 Certificate from IDP Metadata. Enter the tag value in Certificate textbox.
    Enable login with SAML Checked
    Signed SSO and SLO Requests Unchecked
  • Configure Service Provider
  • Click on Save Configuration.
  • Test the configuration after successful saving.
  • Drupal OAuth Configuration

Step 3: Attribute Mapping. (It is Optional to fill this). This is a Premium feature.

  • Attributes are user details that are stored in your Identity Provider.
  • Attribute Mapping helps you to get user attributes from your Identity Provider (IdP) and map them to Drupal 8 user attributes like firstname, lastname etc.
  • While auto registering the users in your Drupal site these attributes will automatically get mapped to your Drupal 8 user details.
  • In miniOrange SAML Module, go to Mapping tab and fill in all the fields.
  • Username: Name of the username attribute from IdP (Keep NameID by default)
    Email: Name of the email attribute from IdP (Keep NameID by default)
    Group/Role Key: Name of the Role attribute from Identity Provider (IdP)
    Configure Service Provider
  • You can check the Test Configuration Results under Service Provider Setup tab to get a better idea of which values to map here.

Step 4: Role Mapping (It is Optional to fill this). This is Premium feature.

  • Drupal 8 uses a concept of Roles, designed to give the site owner the ability to control what users can and cannot do within the site.
  • Role mapping helps you to assign specific roles to users of a certain group in your Identity Provider (IdP).
  • While auto registering, the users are assigned roles based on the group they are mapped to.
  • Configure Service Provider

Step 5: Sign In Setting. This is Premium feature.

  • Go to SIGN IN Settings Tab. There are multiple features available in this tab like Protect your whole site, Auto redirect the user to Identity Provider and Backdoor Login. To use these features, click on the respective checkboxes.
  • Configure Service Provider

Free Trial

If you are looking for anything which you cannot find, please drop us an email on info@xecurify.com

Hello there!

Need Help? We are right here!

Contact miniOrange Support

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com