SAML Single Sign-On for Prestashop using Keycloak as IDP | Prestashop Keycloak SSO Login

SAML Single Sign-On for Prestashop using Keycloak as IDP | Prestashop Keycloak SSO Login


Keycloak Single Sign-On (SSO) login for Prestashop [SAML] can be achieved by using our Prestashop SAML Single Sign-On (SSO) module. Our SSO module is compatible with all the SAML compliant Identity Providers and enables secure Keycloak Login into Prestashop sites. Here we will go through a guide to configure Prestashop Keycloak SSO / Login into Prestashop by considering Keycloak As IDP (Identity Provider) and Prestashop as SP (Service Provider).To know more about other features we provide in Prestashop SAML Single Sign-On (SSO) module, you can click here.

Pre-requisites : Download And Installation

To configure Keycloak as SAML IDP with your Prestashop store, you will need to install the Prestashop SAML SP SSO module.

Steps to configure Keycloak Single Sign-On (SSO) Login into Prestashop

1. Setup Keycloak as IDP (Identity Provider) for Prestashop SSO login

  • In the miniOrange PrestaShop SAML SP SSO module, navigate to SP (Service Provider) Metadata section. Here, you can find the SP metadata such as SP Entity ID and ACS (AssertionConsumerService) URL required to configure the Keycloak as IDP (Identity Provider).
  • Configure Keycloak as IDP - SAML Single Sign-On(SSO) for Keycloak - Keycloak SSO Login Configure Keycloak as IDP - SAML Single Sign-On(SSO) for Keycloak - Keycloak SSO Login
  • In your Keycloak Admin console, select the realm you want to use.
  • Click on Clients from the left menu and then click on Create button to create a new client/application.
  • Creating an APP -  Configure Keycloak as IDP - SAML Single Sign-On(SSO) for Keycloak - Keycloak SSO Login
  • Enter SP-EntityID / Issuer as the Client ID from the "Service Provider Metadata" section and select SAML as the Client Protocol.
  • Add Client -  Configure Keycloak as IDP - SAML Single Sign-On(SSO) for Keycloak - Keycloak SSO Login
  • Now click on Save.
  • Configure Keycloak by providing the required details:
  • Client ID The SP-EntityID / Issuer from the module's Service Provider Metadata section
    Name Provide a name for this client
    Description Provide a description
    Client Signature Required OFF
    Force POST Binding OFF
    Force Name ID Format OFF
    Name ID Format 1.1:nameid-format:unspecified
    Root URL Leave empty or Provide Base URL from Service Provider Metadata section
    Valid Redirect URIs The ACS (Assertion Consumer Service) URL from the module's Service Provider Metadata section
    Configure Keycloak as IDP - SAML Single Sign-On(SSO) for Keycloak - Keycloak SSO Login
    Configure Keycloak as IDP - SAML Single Sign-On(SSO) for Keycloak - Keycloak SSO Login
  • Under Fine Grain SAML Endpoint Configuration, Enter the following details:
  • Assertion Consumer Service POST Binding URL The ACS (Assertion Consumer Service) URL from the module's Service Provider Metadata section
    Logout Service Redirect Binding URL (Optional) The Single Logout URL from the module's Service Provider Metadata section
    Login SAML Endpoint Configuration -  Configure Keycloak as IDP - SAML Single Sign-On(SSO) for Keycloak - Keycloak SSO Login
  • Click on Save.

miniorange img  Add Mappers

  • Navigate to Mappers tab and click on Add Builtin button.
  • Mappers Tab - Configure Keycloak as IDP - SAML Single Sign-On(SSO) for Keycloak - Keycloak SSO Login
  • Select the checkboxes of X500 givenName, X500 surname and X500 email attributes.
  • Add built-in protocol mapper - Configure Keycloak as IDP - SAML Single Sign-On(SSO) for Keycloak - Keycloak SSO Login
  • Click on Add Selected button. You will see the mappings that are added below.
  • Add Selected - Configure Keycloak as IDP - SAML Single Sign-On(SSO) for Keycloak - Keycloak SSO Login

2. Configure Prestashop as SAML SP for Prestashop SSO login

  • Navigate to Realm Settings, click on SAML 2.0 Identity Provider Metadata mentioned as Endpoints in the General Tab.
  • Note the URL and keep it handy. That will provide you with the Endpoints required to configure the module.
  • Access that Metadata endpoint and copy the entityID and fill it in the IDP Entity ID field in the Service Provider Setup section of the module.

  • Copy the URL given in and fill it in the SAML Login URL field in the Service Provider Setup section of the module.

  • Copy the certificate given in and fill it in the IDP Certificate field in the Service Provider Setup section of the module.

  • Select NameID format as "1.1:nameid-format:unspecified" from dropdown.
  • Now click on the Test Configuration button to test the SSO connection.

You have successfully configured Prestashop as SAML SP for achieving Keycloak SSO login into your Prestashop Site.

3. Group Role Mapping (For Back-office Users)

  • This feature can be used to assign different Prestashop admin roles (like SuperAdmin, Salesman, etc) to the users based on their attributes received from IDP. The particular roles (Profiles) will be applied to users once they meet the specified conditions while logging into Prestashop via Single Sign-On.
  • This feature allows you to provide user capabilities based on their IDP attribute Group values.
  • Before enabling this setting, please make sure you’ve configured the attribute name in the Group field of the Group Role Mapping (For Back-office Users) section.
  • Group Mapping - Configure Keycloak as IDP - SAML Single Sign-On(SSO) for Keycloak - Keycloak SSO Login

Group Role Mapping has the following features:

  1. Do not auto-create new back-office users
    • If you turn this toggle on, new users won’t be able to do the SSO on your site. Your existing users would be able to do the SSO.
  2. Do not allow users to login whose groups are not mapped here
    • User’s who belong to a group that is not mapped to any of the Profile Types of Prestashop in the above image won’t be able to do the SSO.
  3. Do not allow the users to log in with the below-mentioned groups.
    • Users who belong to groups that are mentioned in the “Groups not allowed to do SSO” field won’t be able to do the SSO.
  4. Default Prestashop Profile ID for Back-office users
    • You need to mention the Profile ID of the Default Profile which you want to assign to the new back-office users.
  5. Mapping Prestashop Profile to Groups in IDP
    • You need to mention the IDP Group that you need to get the Prestashop role. For eg if you map the Admin group in IDP to the Super Admin profile in the OAuth Module then users who belong to the Admin Group in IDP would get the SuperAdmin access in the Prestashop.

4. SSO Back-office Settings

  • If you want to enable SSO for your Back-office users, your admins, or your employees, turn on the toggle for Enable SSO for Back-office, and please provide the Admin URL of your Prestashop store in the Back office Admin URL field.
  • If you want your Back-office users to redirect to a particular page after they do the SSO, turn on the Enable Redirection to Relay state for Back Office and provide the URL of that particular back-office page in the Back Office Relaystate URL field.
  • To Initiate the SSO for the back-office users, use the Back-office SSO initiation URL.
  • Back Office - Configure Keycloak as IDP - SAML Single Sign-On(SSO) for Keycloak - Keycloak SSO Login

5. SSO Front-office Settings

  • If you want to enable SSO for your front-office users, and your customers, turn on the toggle for Enable SSO for the Front Office.
  • If you want your customers to access the Prestashop store only after they are logged in then turn on the toggle for Auto Redirect from the Prestashop Front office, this would redirect users to the IDP login page if they are not logged in to the Prestashop store. Once they authenticate themselves on the IDP side they would be redirected back to the Prestashop store.
  • If you want to have backdoor access for your front-office users, then turn on the toggle for Enable Backdoor Access to Front-office of Prestashop and use the Prestashop Front-office Backdoor URL to log in using your Prestashop default credentials.
  • If you want your front-office users to redirect to a particular page after they do the SSO, turn on the Enable Redirection to Relay state for Front Office and provide the URL of that particular front-office page in the Front Office Relaystate URL field.
  • To Initiate the SSO for the front-office users, use the front-office SSO initiation URL.
  • To Initiate the SLO for the front-office users, use the front-office SLO initiation URL. By default, if you have provided the SAML Logout URL in the Service Provider Setup section then on customer logout, the module would send SAML Single logout URL to the IDP so that the user gets logged out of their IDP as well.
  • Front Office - Configure Keycloak as IDP - SAML Single Sign-On(SSO) for Keycloak - Keycloak SSO Login

You have successfully configured Keycloak as SAML IDP ( Identity Provider) for achieving Keycloak login / Keycloak SSO / Keycloak Single Sign-On (SSO), ensuring secure Login into Prestashop Site.


Additional Resources


If you are looking for anything which you cannot find, please drop us an email on samlsupport@xecurify.com

Hello there!

Need Help? We are right here!

support
Contact miniOrange Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com