Meet us at WordCamp Europe | ShopTalk | DrupalCon Conferences to explore our solutions. Know More
SAML Single Sign-On for Prestashop using Keycloak as IDP | Prestashop Keycloak SSO Login
SAML Single Sign-On for Prestashop using Keycloak as IDP | Prestashop Keycloak SSO Login
Keycloak Single Sign-On (SSO) login for Prestashop [SAML] can be achieved by using our Prestashop SAML Single Sign-On (SSO) module. Our SSO module is compatible with all the SAML compliant Identity Providers and enables secure Keycloak Login into Prestashop sites. Here we will go through a guide to configure Prestashop Keycloak SSO / Login into Prestashop by considering Keycloak As IDP (Identity Provider) and Prestashop as SP (Service Provider).To know more about other features we provide in Prestashop SAML Single Sign-On (SSO) module, you can click here.
Pre-requisites : Download And Installation
To configure Keycloak as SAML IDP with your Prestashop store, you will need to install the Prestashop SAML SP SSO module.
Steps to configure Keycloak Single Sign-On (SSO) Login into Prestashop
1. Setup Keycloak as IDP (Identity Provider) for Prestashop SSO login
- In the miniOrange PrestaShop SAML SP SSO module, navigate to SP (Service Provider) Metadata section. Here, you can find the SP metadata such as SP Entity ID and ACS (AssertionConsumerService) URL required to configure the Keycloak as IDP (Identity Provider).
- In your Keycloak Admin console, select the realm you want to use.
- Click on Clients from the left menu and then click on Create button to create a new client/application.
- Enter SP-EntityID / Issuer as the Client ID from the "Service Provider Metadata" section and select SAML as the Client Protocol.
- Now click on Save.
- Configure Keycloak by providing the required details:
- Under Fine Grain SAML Endpoint Configuration, Enter the following details:
- Click on Save.
| Client ID | The SP-EntityID / Issuer from the module's Service Provider Metadata section |
| Name | Provide a name for this client |
| Description | Provide a description |
| Client Signature Required | OFF |
| Force POST Binding | OFF |
| Force Name ID Format | OFF |
| Name ID Format | 1.1:nameid-format:unspecified |
| Root URL | Leave empty or Provide Base URL from Service Provider Metadata section |
| Valid Redirect URIs | The ACS (Assertion Consumer Service) URL from the module's Service Provider Metadata section |
| Assertion Consumer Service POST Binding URL | The ACS (Assertion Consumer Service) URL from the module's Service Provider Metadata section |
| Logout Service Redirect Binding URL (Optional) | The Single Logout URL from the module's Service Provider Metadata section |
Add Mappers
- Navigate to Mappers tab and click on Add Builtin button.
- Select the checkboxes of X500 givenName, X500 surname and X500 email attributes.
- Click on Add Selected button. You will see the mappings that are added below.
2. Configure Prestashop as SAML SP for Prestashop SSO login
- Navigate to Realm Settings, click on SAML 2.0 Identity Provider Metadata mentioned as Endpoints in the General Tab.
- Note the URL and keep it handy. That will provide you with the Endpoints required to configure the module.
- Access that Metadata endpoint and copy the entityID and fill it in the IDP Entity ID field in the Service Provider Setup section of the module.
- Copy the URL given in
and fill it in the SAML Login URL field in the Service Provider Setup section of the module. - Copy the certificate given in
- Select NameID format as "1.1:nameid-format:unspecified" from dropdown.
- Now click on the Test Configuration button to test the SSO connection.
You have successfully configured Prestashop as SAML SP for achieving Keycloak SSO login into your Prestashop Site.
3. Group Role Mapping (For Back-office Users)
- This feature can be used to assign different Prestashop admin roles (like SuperAdmin, Salesman, etc) to the users based on their attributes received from IDP. The particular roles (Profiles) will be applied to users once they meet the specified conditions while logging into Prestashop via Single Sign-On.
- This feature allows you to provide user capabilities based on their IDP attribute Group values.
- Before enabling this setting, please make sure you’ve configured the attribute name in the Group field of the Group Role Mapping (For Back-office Users) section.
Group Role Mapping has the following features:
- Do not auto-create new back-office users
- If you turn this toggle on, new users won’t be able to do the SSO on your site. Your existing users would be able to do the SSO.
- Do not allow users to login whose groups are not mapped here
- User’s who belong to a group that is not mapped to any of the Profile Types of Prestashop in the above image won’t be able to do the SSO.
- Do not allow the users to log in with the below-mentioned groups.
- Users who belong to groups that are mentioned in the “Groups not allowed to do SSO” field won’t be able to do the SSO.
- Default Prestashop Profile ID for Back-office users
- You need to mention the Profile ID of the Default Profile which you want to assign to the new back-office users.
- Mapping Prestashop Profile to Groups in IDP
- You need to mention the IDP Group that you need to get the Prestashop role. For eg if you map the Admin group in IDP to the Super Admin profile in the OAuth Module then users who belong to the Admin Group in IDP would get the SuperAdmin access in the Prestashop.
4. SSO Back-office Settings
- If you want to enable SSO for your Back-office users, your admins, or your employees, turn on the toggle for Enable SSO for Back-office, and please provide the Admin URL of your Prestashop store in the Back office Admin URL field.
- If you want your Back-office users to redirect to a particular page after they do the SSO, turn on the Enable Redirection to Relay state for Back Office and provide the URL of that particular back-office page in the Back Office Relaystate URL field.
- To Initiate the SSO for the back-office users, use the Back-office SSO initiation URL.
5. SSO Front-office Settings
- If you want to enable SSO for your front-office users, and your customers, turn on the toggle for Enable SSO for the Front Office.
- If you want your customers to access the Prestashop store only after they are logged in then turn on the toggle for Auto Redirect from the Prestashop Front office, this would redirect users to the IDP login page if they are not logged in to the Prestashop store. Once they authenticate themselves on the IDP side they would be redirected back to the Prestashop store.
- If you want to have backdoor access for your front-office users, then turn on the toggle for Enable Backdoor Access to Front-office of Prestashop and use the Prestashop Front-office Backdoor URL to log in using your Prestashop default credentials.
- If you want your front-office users to redirect to a particular page after they do the SSO, turn on the Enable Redirection to Relay state for Front Office and provide the URL of that particular front-office page in the Front Office Relaystate URL field.
- To Initiate the SSO for the front-office users, use the front-office SSO initiation URL.
- To Initiate the SLO for the front-office users, use the front-office SLO initiation URL. By default, if you have provided the SAML Logout URL in the Service Provider Setup section then on customer logout, the module would send SAML Single logout URL to the IDP so that the user gets logged out of their IDP as well.
You have successfully configured Keycloak as SAML IDP ( Identity Provider) for achieving Keycloak login / Keycloak SSO / Keycloak Single Sign-On (SSO), ensuring secure Login into Prestashop Site.
Additional Resources
- What is Single Sign-On (SSO) Login?
- What is SAML? How SAML SSO works?
- Prestashop SAML Single Sign-On
- Prestashop as Identity Provider
- Prestashop OAuth Cleint SSO
- Prestashop OAuth with PCKE
- Prestashop Solutions
- Frequently Asked Questions (FAQs)
If you are looking for anything which you cannot find, please drop us an email on samlsupport@xecurify.com
×
![ADFS_sso]()
Trending searches:
Hello there!
Need Help? We are right here!
