Magento Keycloak SAML SSO (Single Sign-On) | Magento Keycloak SSO | Login using Keycloak in Magento

In the Magento SSO extension, go to the Application tab of the extension. There are two ways to configure the Magento SSO extension:

A. By uploading IDP metadata:

• Click on Upload IDP metadata button.
• Enter the App Name
• You can either upload a metadata file or use a metadata URL and click the Import button.

B. Manual Configuration:

• Copy SAML Entity ID, SAML Login URL and x.509 certificate from Federation Metadata document and paste it in IdP Entity ID or Issuer, Single Sign-on Service URL, x.509 Certificate fields respectively in the plugin.
  

4. Multisite Settings (*Available in the Enterprise versions)

• Find your Keycloak application and click Edit in the Actions menu.

• Click on Store Configuration from the left-hand menu.
• In the Store Configuration, select the website where you want to activate SSO, and check the Enable SSO for this site option.

 Login Settings

• Show SSO Button on Login Page: Displays the SSO button on the selected website’s customer login page.
• Auto-create Users: You have the option to automatically create customer users during the SSO process if they do not already exist. Enabling the corresponding checkbox activates this feature.
• Auto Redirect Feature: Automatically redirects users to the IDP login page, either from the Magento login page or from any page on the website.

• Go to customer login page and you will see the SSO button on your frontend. Click on the button and test the SSO.

• You will be sucessfully logged in into Magento.

5. Admin SSO

• Enable SSO for Admins: Displays the SSO button on the Admin login Page.
• Admin SSO Button Text: Sets the label displayed on the SSO button on the admin login page (e.g., Login via Keycloak).
• Auto-create Admin Users: Automatically creates admin user in Magento when they log in via SSO for the first time.
• Auto-Redirect from Admin: Automatically redirects admin users to the IDP login page from the admin login page.
• Backdoor URL: A backdoor URL allows you to log in to your Admin dashboard using default Admin credentials in case you get locked out.

• Visit your admin login page and you will see the SSO button on your admin page. Click on the button to initate SSO as an admin.

• After sucessfully logged into magento as admin you will be redirect to magento backend dashboard.

6. Headless SSO Settings (*Available in the premium versions)

• Enable for Customers: This option allows you to activate Headless SSO for customers.
• Customer SSO URL: This URL is used to initiate customer SSO from headless applications. Append this SSO URL within your headless application.
  • Example Format:
    https://<your-magento-domain>/mosso/actions/SendSSORequest?relayState={Store_URL}/headless_store_url/{Headless_URL}&app_name=Keycloak
  • {Store_URL}: Enter your Magento store URL.
  • {Headless_URL}: Enter the URL of your headless application where the customer token should be sent.
  • After successful SSO, a customer token is sent to the headless URL.
    For example: {Headless_URL}?customer_token=...
• Customer Token Expiry: You can set the expiration time (in minutes) for the customer token.
• Whitelist Frontend URLs: Here, you can add URLs that are allowed to receive the customer token. The customer token will only be sent to the URL(s) that are whitelisted here.

• Enable for Admins: Similar to customers, this option activates Headless SSO for admins.
• Admin SSO URL: This URL initiates admin SSO from headless applications.
• Admin Token Expiry: Set the expiration time (in minutes) for the admin token.
• Whitelist Frontend URLs: Admin tokens are only sent to the whitelisted URLs here. You must ensure that any URL receiving an admin token is listed.

7. Attribute / Custom Mapping(Optional). *This is Premium feature.

 Customer Attribute Mapping

• Go to the Attribute Mapping section to configure Customer Attribute Mapping.
• Enable Customer Attribute Mapping and select the Update Customer Attributes checkbox.

• You will see fields like UserName, Email, First Name, and Last Name under Admin Attributes Mapping.
• Map these fields by selecting the appropriate options from the dropdown.
• If you need to add more attributes, click the + Add Customer Attributes button and select the appropriate attribute from the dropdown.

Username:	Name of the username attribute from IdP (Keep NameID by default)
Email:	Name of the email attribute from IdP (Keep NameID by default)
Group/Role:	Name of the Role attribute from Identity Provider (IdP)

 Customer Address Mapping

• In the Customer Attribute section, enable Address Attribute Mapping and select the checkbox to update Customer Address attributes.

• You will see fields such as Street Address, Zip Code, City, State, and others under Customer Address Mapping.
• Map these fields by selecting the appropriate options from the dropdown.
• If you need to add additional attributes, click the + Add Address Attributes button and choose the appropriate attribute from the dropdown.

 Admin Attribute Mapping

• In the Admin Attribute Mapping section, enable Admin Attribute Mapping and select the checkbox to update Admin attribute.

• You will see fields like Email, First Name, and Last Name under Admin Attributes Mapping.
• Map these fields by selecting the appropriate options from the dropdown.
• If you need to add more attributes, click the + Add Admin Attributes button and select the appropriate attribute from the dropdown.

8. Group/Role Mapping (Optional). *This is Premium feature.

• Magento uses a concept of Roles, designed to give the site owner the ability to control what users can and cannot do within the site. Role mapping helps you to assign specific roles to users of a certain group in your Identity Provider.
• Select the attribute from your identity provider that contains GROUP/ROLE information for both admin and customer users from the dropdown.

 Customer Group Mapping

• In the Customer Group Mapping settings, the store admin can define which Magento customer group should be assigned based on the group information received from the Identity Provider (IdP) during Single Sign-On (SSO).
• Enable the “Update frontend group on SSO” checkbox if you want Magento to update customer group each time a user logs in via SSO.
• Use the Default Group dropdown to select the Magento Groups that should be assigned to a user when no group information is returned by the Identity Provider or when the received group does not match any configured mapping.

• Enter the Identity Provider group values against the corresponding Magento customer groups as required.
• Users belonging to a specific group in the Identity Provider will be automatically assigned the mapped Magento group during SSO.
• Example: If the group value from the Identity Provider is mapped to the General group in Magento, any user with that group in the IdP will be assigned the General customer group upon SSO.

 Admin Role Mapping

• Enable the “Update Backend roles on SSO” checkbox if you want Magento to update Admin roles each time a user logs in via SSO.
• Use the Default Role dropdown to select the Magento role that should be assigned to a user when no role/group information is returned by the Identity Provider or when the received role/group does not match any configured mapping.

• Enter the Identity Provider group values against the corresponding Magento Admin roles as required.
• Users belonging to a specific group in the Identity Provider will be automatically assigned the mapped Magento group during SSO.
• Example: If the group value from the Identity Provider is mapped to the General group in Magento, any user with that group in the IdP will be assigned the General Admin roles upon SSO.

Additional Resources

• What is Single Sign-On (SSO) Login?
• What is SAML? How SAML SSO works?
• Magento SAML Single Sign On (SSO) Extension.

Get in Touch

Please reach out to us at magentosupport@xecurify.com, and our team will assist you with setting up the Magento SSO Extension. Our team will help you to select the best suitable solution/plan as per your requirement.