...
- In your Keycloak Admin Console, go to myrealm, create a new client.
- For Client Type, select SAML.
 For Client ID, paste in the Entity ID value you've copied earlier from the SAML Directory Manager plugin.
 Click "Next".
 For Valid Redirect URIs, paste in the base URL of your Joget instance.
 For both
- Save the client configuration.
- Next, we'll still need to modify more configurations for our newly created client.
 Edit the client configuration.
 Then, refer to this table the tables below to ensure the remaining config values are correct."Settings" tabGeneral settings Client ID (Paste in the Entity ID copied from the SAML Directory Manager plugin) Example: http://localhost:8080/jw/web/json/plugin/org.joget.plugin.saml.SamlDirectoryManager/service Name --OPTIONAL-- Description --OPTIONAL-- Always display in UI Off Access settings Root URL --blank-- Home URL --blank-- Valid redirect URIs (Base URL of your Joget instance) Example: http://localhost:8080/jw Valid post logout redirect URIs --blank-- IDP-Initiated SSO URL name (Paste in the ACS URL copied from the SAML Directory Manager plugin) Example: http://localhost:8080/jw/web/json/plugin/org.joget.plugin.saml.SamlDirectoryManager/service IDP Initiated SSO Relay State --blank-- Master SAML Processing URL (Paste in the ACS URL copied from the SAML Directory Manager plugin) Example: http://localhost:8080/jw/web/json/plugin/org.joget.plugin.saml.SamlDirectoryManager/service SAML capabilities Name ID format username Force name ID format On Force POST binding Off Force artifact binding Off Include AuthnStatement On Include OneTimeUse Condition Off Optimize REDIRECT signing key lookup Off Allow ECP flow Off Signature and Encryption Sign documents Off Sign assertions On Signature algorithm RSA_SHA256 SAML signature key name CERT_SUBJECT Canonicalization method EXCLUSIVE Login settings Login theme --OPTIONAL-- Consent required Off Display client on screen Off Consent screen text --blank-- Logout settings Front channel logout Off "Keys" tabSigning keys config Client Signature Required Off Encryption keys config Encrypt assertions Off "Roles" tabDefault. No change. "Sessions" tabDefault. No change. "Advanced" tabDefault. No change. 
...
-  Next, navigate to Client scopes tab, and click on the dedicated scope for Joget client, and add these 3 predefined mappers:- X500 email
- X500 givenName
- X500 surname
 
- Then, edit these 3 mappers, and replace the SAML Attribute Name to their intended values.
 Do refer to the table below for their respective replacement values.Mapping Name SAML Attribute Name X500 surname User.LastName X500 givenName User.FirstName X500 email email 
- Save the client configuration.
 Now, we are ready to test the SSO functionality.
5. Test SSO to validate successful configuration
To test configuration, you can copy the target IDP initiated SSO URL and paste it in incognito mode of browser and login to keycloak, If all is good you will be redirected to Joget home page with login.
The final configuration is the configure the fields.
...
Mapping Name
...
SAML Attribute Name
...
X500 surname
...
.
...
X500 givenName
...
User.FirstName
...
X500 email
...
Optional Modifications
Addon SSO button on login page
...












