[keycloak-user] Keycloak and Clever

Hi All, I'm in k12edu and have been working on implementing Clever. I've successfully setup and configured Clever as a SP in Keycloak using the Active Directory Authentication login method. I wanted to share it here, in case there are others that would like to use it. Also, it might be useful to have a wiki in the Keycloak documentation for users to contribute how-to articles on configuring services with Keycloak. Please consider this. I'd gladly contribute my Clever and Google configurations there. I'm not sure how this is going to format, hopefully, it doesn't get too botched. :) Create new client - Go to the Clients page under the {your} realm. - Click: Create - Download federation metadata: https://clever.com/oauth/saml/metadata.xml - Click: Select file - Browse to the metadata.xml downloaded in the previous step - Click: Save - Set the following options: Setting Flag/Option/String Name {Give it a user facing name} Enabled ON Include AuthnStatement ON Sign Documents ON Sign Assertions ON Signature Algorithm RSA_SHA256 SAML Signature Key Name KEY_ID Canonicalization Method EXCLUSIVE Encrypt Assertions ON Client Signature Required OFF Force POST Binding ON Front Channel Logout ON Force Name ID Format ON Name ID Format email Valid Redirect URIs https://clever.com/oauth/saml/assert Base URL /auth/realms/{realm}/protocol/saml/clients/clever&RelayState=true IDP Initiated SSO URL Name clever Assertion Consumer Service POST Binding URL https://clever.com/oauth/saml/assert Logout Service POST Binding URL https://clever.com/oauth/saml/assert Create Mapper(s) - Go to: Clients > https://clever.com/oauth/saml/metadata.xml > Edit > Mappers > Create - Set the following options: Setting Flag/Option/String Name clever.any.email Mapper Type User Property Property email Friendly Name Email SAML Attribute Name clever.any.email SAML Attribute NameFormat Setting Flag/Option/String Name clever.any.sis_id Mapper Type User Property Property username Friendly Name Username SAML Attribute Name clever.any.sis_id SAML Attribute NameFormat Import Custom idP Metadata - Login to https://clever.com/in/<your-portal> - Go to: Portal > SSO Settings > Add Login Method > Active Directory Authentication - Click: or upload metadata file instead (not recommended) - Download and modify the Auth Mellon idp-metadata.xml file from your clever client in Keycloak and add the missing information below: <?xml version="1.0" encoding="UTF-8"?> <EntityDescriptor entityID="https://{vip}/auth/realms/{realm}" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://{vip}/auth/realms/{realm}/protocol/saml" /> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://{vip}/auth/realms/{realm}/protocol/saml" /> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://{vip}/auth/realms/{realm}/protocol/saml" /> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://{vip}/auth/realms/{realm}/protocol/saml" /> <KeyDescriptor use="signing"> <dsig:KeyInfo> <dsig:KeyName>{kID}</dsig:KeyName> <dsig:X509Data> <dsig:X509Certificate>{cert}</dsig:X509Certificate> </dsig:X509Data> </dsig:KeyInfo> </KeyDescriptor> </IDPSSODescriptor> </EntityDescriptor> - Click the cloud symbol with an up arrow through it to upload the idp-metadata.xml you created. - Click: Save - You should see a message in green saying: Your settings have been saved References https://support.clever.com/hc/en-us/articles/218050687-Single-sign-on-SSO... https://support.clever.com/hc/en-us/articles/215176617 -- *Aaron Echols*