...

1. In your Keycloak Admin Console, go to myrealm, create a new client.
   
   
   
   
2. For Client Type, select SAML.
   For Client ID, paste in the Entity ID value you've copied earlier from the SAML Directory Manager plugin.
   
   
   
   Click "Next".
   
   For Valid Redirect URIs, paste in the base URL of your Joget instance.
   For both IDP-Initiated SSO URL Name & Master SAML Processing URL, paste in the ACS URL value you've copied earlier from the SAML Directory Manager plugin. 
   
   
   
   
3. Save the client configuration.
   
   
4. Next, we'll still need to modify more configurations for our newly created client.
   Edit the client configuration.
   
   
   
   Then, refer to this table the tables below to ensure the remaining config values are correct.
   

   "Settings" tab
   Image Added

   General

   Settings

   settings
   Client ID	(Paste in the Entity ID copied from the SAML Directory Manager plugin) Example: http://localhost:8080/jw/web/json/plugin/org.joget.plugin.saml.SamlDirectoryManager/service
   Name	--

   blank

   OPTIONAL--
   Description	--

   blank

   OPTIONAL--
   Always display in UI	Off
   Access

   Settings

   settings
   Root URL	--blank--
   Home URL	--blank--
   Valid redirect URIs	(Base URL of your Joget instance) Example: http://localhost:8080/jw
   Valid post logout redirect URIs	--blank--
   IDP-Initiated SSO URL name	(Paste in the ACS URL copied from the SAML Directory Manager plugin) Example: http://localhost:8080/jw/web/json/plugin/org.joget.plugin.saml.SamlDirectoryManager/service
   IDP Initiated SSO Relay State	--blank--
   Master SAML Processing URL	(Paste in the ACS URL copied from the SAML Directory Manager plugin) Example: http://localhost:8080/jw/web/json/plugin/org.joget.plugin.saml.SamlDirectoryManager/service
   SAML

   Capabilities

   capabilities
   Name ID format	username
   Force name ID format	On
   Force POST binding	Off
   Force artifact binding	Off
   Include AuthnStatement	On
   Include OneTimeUse Condition	Off
   Optimize REDIRECT signing key lookup	Off
   Allow ECP flow	Off
   Signature and Encryption
   Sign documents	Off
   Sign assertions	On
   Signature algorithm	RSA_SHA256
   SAML signature key name	CERT_SUBJECT
   Canonicalization method	EXCLUSIVE
   Login

   Settings

   settings
   Login theme	--

   blank

   OPTIONAL--
   Consent required	Off
   Display client on screen	Off
   Consent screen text	--blank--
   Logout

   Settings

   settings
   Front channel logout	Off

...

Description: Optional 

Enabled: ON

Consent Required: OFF

Login Theme: Optional 

Client Protocol: SAML

Include AuthnStatement: ON

Include OneTimeUse Condition : OFF

Sign Documents: OFF

Sign Assertions: ON

Signature Algorithm: RSA_SHA256

SAML Signature Key Name: CERT_SUBJECT

Canonicalization Method: EXCLUSIVE

Encrypt Assertions: OFF

Client Signature Required: OFF

Force POST Binding: OFF

Front Channel Logout: OFF

Force Name ID Format: ON

Name ID Format: username

Root URL: EMPTY

Valid Redirect URIs: https://joget-Server-URL/jw 

Base URL: EMPTY

Master SAML Processing URL:   SAML JOGET API URL 

...

1. "Keys" tab
   Image Added

   Signing keys config
   Client Signature Required	Off
   Encryption keys config
   Encrypt assertions	Off

   "Roles" tab

   Default. No change.

   "Sessions" tab

   Default. No change.

   "Advanced" tab

   Default. No change.

   
   
   
2.  Next, navigate to Client scopes tab, and click on the dedicated scope for Joget client, and add these 3 predefined mappers:
   

   X500 email X500 givenName X500 surname

   
   Image Added
   Image Added
   Image Added
   
   
3. Then, edit these 3 mappers, and replace the SAML Attribute Name to their intended values.
   Do refer to the table below for their respective replacement values.
   
   Image Added
   Image Added
   

   Mapping Name	SAML Attribute Name
   X500 surname	User.LastName
   X500 givenName	User.FirstName
   X500 email	email

   
   
   
4. Save the client configuration.
   Now, we are ready to test the SSO functionality. 

5. Test SSO to validate successful configuration

In the final phase, we should test if SAML SSO works with Keycloak & that Joget is able to correctly retrieve the sample user data from Keycloak as well.

To manually emulate an idP-initiated SSO login, we simply need to find

...

Image Removed

Image Removed

Image Removed

To test configuration, you can copy the target IDP initiated SSO URL and paste it in incognito mode of browser and login to keycloak, If all is good you will be redirected to Joget home page with login.

The final configuration is the configure the fields.

...

test this URL in our browser.

The format of the target IDP initiated SSO URL is as such below.
Do refer to your overall Keycloak & Joget client configurations to fill in the blanks.

{server-root}/realms/{realm}/protocol/saml/clients/{client-id}

An example of the fully-qualified URL will look as such below:

Finally, you can navigate to this fully-qualified URL via an incognito tab in your browser.

You should see the Keycloak login page, and upon successful login, you will be redirect to the Joget App Center, and thus indicate this exercise is completed successfully.

...

Mapping Name

...

SAML Attribute Name

...

X500 surname

...

User.LastName

...

X500 givenName

...

User.FirstName

...

X500 email

...

Image Added
Image Added
Image Added

Optional Modifications

Addon SSO button on login page

...