Keycloak

Keycloak SAML 2.0

Create a realm on Keycloak

1. Login to Administrator Console, drop the list in top left corner and hit "Create realm".

2. Enter Realm name e.g. myrealm and hit "Create".

3. Select "Users" in the left sidebar and hit "Add user".

4. Enter Username, Email, First name and Last name; then hit "Create".

5. Under "User details", select tab "Credentials" and hit "Set password" to create password for the user created in previous step.

6. Enter the password and toggle "Temporary" to Off, then hit "Save".

Create SAML directory on MetaDefender Core

1. Login to MetaDefender Core management console.
2. Under "Dashboard", hit "User Management" in sidebar.
3. Under "User Management", choose "Directories" tab and hit "Add directory" on the top right

4. In "Add Directory" page, choose "SAML" in Directory Type.
5. Fill "Name" of the new directory, KEYCLOAK_SAML for example.
6. Under "Service Provider", fill in "Host or IP" where MetaDefender Core is being hosted, https://localhost:8008 for this example.
7. Copy the "Login URL".

Create Keycloak application

1. On screen myrealm, select "Clients" in sidebar and hit "Create client".

2. Choose "SAML" for "Client type" and enter MDCORE for "Client ID" then hit "Next".

3. Paste the "Login URL" from MetaDefender Core into "Master SAML Processing URL" and hit "Save".

4. Go to tab "Advance" and paste the "Login URL" from MetaDefender Core to "Assertion Consumer Service Redirect Binding URL" and hit "Save".

5. At tab "Keys", toggle "Client signature required" to Off.

6. At tab "Client scopes", select "MDCore-dedicated".

7. Under "Dedicated scopes", select tab "Mappers" and hit "Add predefines mapper".

8. Check "X500 givenName" and "X500 surname", then hit "Add".

9. Back at tab "Mappers", hit on "X500 givenName".

10. Enter first_name for "SAML Attribute Name" and hit "Save".

11. Hit on "X500 surname" at tab "Mappers"

12. Enter first_name for "SAML Attribute Name" and hit "Save".

13. Select "Realm settings" in sidebar, navigate to tab "General", hit "SAML 2.0 Identity Provider Metadata" and copy SAML metadata link.

Complete configuration on MetaDefender Core

1. Switch to MetaDefender Core screen, under "Identity Provider", hit on "Fetch URL".
2. Paste "SAML Metadata link" from Keycloak to the box under "Fetch URL" and hit "OK" to ensure MetaDefender Core can set Okta as its IdP.

3. Under section "Service Provider", enable option "Use Custom Entity ID" and fill MDCORE to "Custom Entity ID".

4. Fill user identity under "Use Identified by" with ${first_name}${last_name}_ for example.
5. Select correct role for the user under "User Role".
6. Hit "Add" to complete the settings.

7. On screen "User Management", toggle the new directory, KEYCLOAK-SAML in this example. A dialog box is shown to confirm the action. Once "Enable" is hit, all existing sessions will be expired immediately and Okta will be used to authenticate users going forward.

Test the integration

1. Browse MetaDefender Core, hit "Login", user is redirected to Keycloak's login page.

2. Login by the account registered in Keycloak (step 4 and 6 under section Create a realm).

2. If everything goes right, MetaDefender Core dashboard is shown with user identity set at the top right corner.
3. For troubleshooting, browse <mdcore-host>#/public/backuplogin.