Versions Compared

Old Version 36

changes.mady.by.user Justin

Saved on

compared with

New Version Current

changes.mady.by.user Justin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. In your Keycloak Admin Console, go to myrealm, create a new client.



  2. For Client Type, select SAML.
    For Client ID, paste in the Entity ID value you've copied earlier from the SAML Directory Manager plugin.



    Click "Next".

    For Valid Redirect URIs, paste in the base URL of your Joget instance.
    For both  



  3. Save the client configuration.

  4. Next, we'll still need to modify more configurations for our newly created client.
    Edit the client configuration.



    Then, refer to this table the tables below to ensure the remaining config values are correct.

    "Settings" tab
    Image Added

    General settings
    Client ID

    (Paste in the Entity ID copied from the SAML Directory Manager plugin)

    Example:

    http://localhost:8080/jw/web/json/plugin/org.joget.plugin.saml.SamlDirectoryManager/service

    Name--OPTIONAL--

    Description

    		--OPTIONAL--

    Always display in UI

    		Off

    Access settings

    Root URL

    		--blank--

    Home URL

    		--blank--

    Valid redirect URIs

    (Base URL of your Joget instance)

    Example: http://localhost:8080/jw

    Valid post logout redirect URIs

    		--blank--

    IDP-Initiated SSO URL name

    (Paste in the ACS URL copied from the SAML Directory Manager plugin)

    Example:

    http://localhost:8080/jw/web/json/plugin/org.joget.plugin.saml.SamlDirectoryManager/service

    IDP Initiated SSO Relay State

    		--blank--

    Master SAML Processing URL

    (Paste in the ACS URL copied from the SAML Directory Manager plugin)

    Example:

    http://localhost:8080/jw/web/json/plugin/org.joget.plugin.saml.SamlDirectoryManager/service

    SAML capabilities

    Name ID format

    username

    Force name ID format

    On

    Force POST binding

    Off

    Force artifact binding

    Off

    Include AuthnStatement

    On

    Include OneTimeUse Condition

    Off

    Optimize REDIRECT signing key lookup

    Off

    Allow ECP flow

    Off

    Signature and Encryption

    Sign documents

    Off

    Sign assertions

    On

    Signature algorithm

    RSA_SHA256

    SAML signature key name

    CERT_SUBJECT

    Canonicalization method

    EXCLUSIVE

    Login settings

    Login theme

    --OPTIONAL--

    Consent required

    Off

    Display client on screen

    Off

    Consent screen text

    --blank--

    Logout settings

    Front channel logout

    Off

    "Keys" tab
    Image Added

    Signing keys config
    Client Signature RequiredOff
    Encryption keys config
    Encrypt assertionsOff

    "Roles" tab

    Default. No change.

    "Sessions" tab

    Default. No change.

    "Advanced" tab

    Default. No change.


  5.  Next, navigate to Client scopes tab, and click on the dedicated scope for Joget client, and add these 3 predefined mappers:
    • X500 email
    • X500 givenName
    • X500 surname

    Image Added
    Image Added
    Image Added

  6. Then, edit these 3 mappers, and replace the SAML Attribute Name to their intended values.
    Do refer to the table below for their respective replacement values.

    Image Added
    Image Added

    Mapping Name

    SAML Attribute Name

    X500 surname

    User.LastName

  7.  

 

Image Removed

Image Removed

Image Removed

  1. X500 givenName

    User.FirstName

    X500 email

    email



  2. Save the client configuration.
    Now, we are ready to test the SSO functionality.     

5. Test SSO to validate successful configuration

In the final phase, we should test if SAML SSO works with Keycloak & that Joget is able to correctly retrieve the sample user data from Keycloak as well.

To manually emulate an idP-initiated SSO login, we simply need to find To test configuration, you can copy the target IDP initiated SSO URL and paste it in incognito mode of browser and login to keycloak, If all is good you will be redirected to Joget home page with login.

The final configuration is the configure the fields.

...

test this URL in our browser.


The format of the target IDP initiated SSO URL is as such below.
Do refer to your overall Keycloak & Joget client configurations to fill in the blanks.

Info
iconfalse
{server-root}/realms/{realm}/protocol/saml/clients/{client-id}

An example of the fully-qualified URL will look as such below:

Info
iconfalse

http://localhost:8500/realms/myrealm/protocol/saml/clients/http%3A%2F%2Flocalhost%3A8080%2Fjw%2Fweb%2Fjson%2Fplugin%2Forg.joget.plugin.saml.SamlDirectoryManager%2Fservice

Note
titleNote

For the {client-id}, since the client ID itself is a URL, this value need to be in a URL-encoded format.

You can use various free online tools to help convert to the URL-encoded value.


Finally, you can navigate to this fully-qualified URL via an incognito tab in your browser.

You should see the Keycloak login page, and upon successful login, you will be redirect to the Joget App Center, and thus indicate this exercise is completed successfully.

...

Mapping Name

...

SAML Attribute Name

...

X500 surname

...

User.LastName

...

X500 givenName

...

User.FirstName

...

X500 email

...

Image Added
Image Added
Image Added



Optional Modifications

Addon SSO button on login page

...