12:26 p.m.
Hi All,
I'm in k12edu and have been working on implementing Clever. I've
successfully setup and configured Clever as a SP in Keycloak using the
Active Directory Authentication login method. I wanted to share it here, in
case there are others that would like to use it.
Also, it might be useful to have a wiki in the Keycloak documentation for
users to contribute how-to articles on configuring services with Keycloak.
Please consider this. I'd gladly contribute my Clever and Google
configurations there.
I'm not sure how this is going to format, hopefully, it doesn't get too
botched. :)
Create new client
-
Go to the Clients page under the {your} realm.
-
Click: Create
-
Download federation metadata: https://clever.com/oauth/saml/metadata.xml
-
Click: Select file
-
Browse to the metadata.xml downloaded in the previous step
-
Click: Save
-
Set the following options:
Setting
Flag/Option/String
Name
{Give it a user facing name}
Enabled
ON
Include AuthnStatement
ON
Sign Documents
ON
Sign Assertions
ON
Signature Algorithm
RSA_SHA256
SAML Signature Key Name
KEY_ID
Canonicalization Method
EXCLUSIVE
Encrypt Assertions
ON
Client Signature Required
OFF
Force POST Binding
ON
Front Channel Logout
ON
Force Name ID Format
ON
Name ID Format
email
Valid Redirect URIs
https://clever.com/oauth/saml/assert
Base URL
/auth/realms/{realm}/protocol/saml/clients/clever&RelayState=true
IDP Initiated SSO URL Name
clever
Assertion Consumer Service POST Binding URL
https://clever.com/oauth/saml/assert
Logout Service POST Binding URL
https://clever.com/oauth/saml/assert
Create Mapper(s)
-
Go to: Clients > https://clever.com/oauth/saml/metadata.xml > Edit >
Mappers > Create
-
Set the following options:
Setting
Flag/Option/String
Name
clever.any.email
Mapper Type
User Property
Property
email
Friendly Name
Email
SAML Attribute Name
clever.any.email
SAML Attribute NameFormat
Setting
Flag/Option/String
Name
clever.any.sis_id
Mapper Type
User Property
Property
username
Friendly Name
Username
SAML Attribute Name
clever.any.sis_id
SAML Attribute NameFormat
Import Custom idP Metadata
-
Login to https://clever.com/in/<your-portal>
-
Go to: Portal > SSO Settings > Add Login Method > Active Directory
Authentication
-
Click: or upload metadata file instead (not recommended)
-
Download and modify the Auth Mellon idp-metadata.xml file from your
clever client in Keycloak and add the missing information below:
<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor entityID="https://{vip}/auth/realms/{realm}"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<IDPSSODescriptor WantAuthnRequestsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
<KeyDescriptor use="signing">
<dsig:KeyInfo>
<dsig:KeyName>{kID}</dsig:KeyName>
<dsig:X509Data>
<dsig:X509Certificate>{cert}</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</KeyDescriptor>
</IDPSSODescriptor>
</EntityDescriptor>
-
Click the cloud symbol with an up arrow through it to upload the
idp-metadata.xml you created.
-
Click: Save
-
You should see a message in green saying: Your settings have been saved
References
https://support.clever.com/hc/en-us/articles/218050687-Single-sign-on-SSO...
https://support.clever.com/hc/en-us/articles/215176617
--
*Aaron Echols*
4:45 a.m.
Hey Aaron !
Thanks a lot for sharing this with the community. And I agree we must find
a nice solution to persist these kind of "How-to" articles. I have some
ideas in mind and I will come back to you about this.
Sebi
On Tue, Apr 9, 2019 at 7:31 PM Aaron Echols <aechols(a)bfcsaz.com> wrote:
Hi All,
I'm in k12edu and have been working on implementing Clever. I've
successfully setup and configured Clever as a SP in Keycloak using the
Active Directory Authentication login method. I wanted to share it here, in
case there are others that would like to use it.
Also, it might be useful to have a wiki in the Keycloak documentation for
users to contribute how-to articles on configuring services with Keycloak.
Please consider this. I'd gladly contribute my Clever and Google
configurations there.
I'm not sure how this is going to format, hopefully, it doesn't get too
botched. :)
Create new client
-
Go to the Clients page under the {your} realm.
-
Click: Create
-
Download federation metadata:
https://clever.com/oauth/saml/metadata.xml
-
Click: Select file
-
Browse to the metadata.xml downloaded in the previous step
-
Click: Save
-
Set the following options:
Setting
Flag/Option/String
Name
{Give it a user facing name}
Enabled
ON
Include AuthnStatement
ON
Sign Documents
ON
Sign Assertions
ON
Signature Algorithm
RSA_SHA256
SAML Signature Key Name
KEY_ID
Canonicalization Method
EXCLUSIVE
Encrypt Assertions
ON
Client Signature Required
OFF
Force POST Binding
ON
Front Channel Logout
ON
Force Name ID Format
ON
Name ID Format
email
Valid Redirect URIs
https://clever.com/oauth/saml/assert
Base URL
/auth/realms/{realm}/protocol/saml/clients/clever&RelayState=true
IDP Initiated SSO URL Name
clever
Assertion Consumer Service POST Binding URL
https://clever.com/oauth/saml/assert
Logout Service POST Binding URL
https://clever.com/oauth/saml/assert
Create Mapper(s)
-
Go to: Clients > https://clever.com/oauth/saml/metadata.xml > Edit >
Mappers > Create
-
Set the following options:
Setting
Flag/Option/String
Name
clever.any.email
Mapper Type
User Property
Property
email
Friendly Name
Email
SAML Attribute Name
clever.any.email
SAML Attribute NameFormat
Setting
Flag/Option/String
Name
clever.any.sis_id
Mapper Type
User Property
Property
username
Friendly Name
Username
SAML Attribute Name
clever.any.sis_id
SAML Attribute NameFormat
Import Custom idP Metadata
-
Login to https://clever.com/in/<your-portal>
-
Go to: Portal > SSO Settings > Add Login Method > Active Directory
Authentication
-
Click: or upload metadata file instead (not recommended)
-
Download and modify the Auth Mellon idp-metadata.xml file from your
clever client in Keycloak and add the missing information below:
<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor entityID="https://{vip}/auth/realms/{realm}"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<IDPSSODescriptor WantAuthnRequestsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
<KeyDescriptor use="signing">
<dsig:KeyInfo>
<dsig:KeyName>{kID}</dsig:KeyName>
<dsig:X509Data>
<dsig:X509Certificate>{cert}</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</KeyDescriptor>
</IDPSSODescriptor>
</EntityDescriptor>
-
Click the cloud symbol with an up arrow through it to upload the
idp-metadata.xml you created.
-
Click: Save
-
You should see a message in green saying: Your settings have been saved
References
https://support.clever.com/hc/en-us/articles/218050687-Single-sign-on-SSO...
https://support.clever.com/hc/en-us/articles/215176617
--
*Aaron Echols*
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:09 a.m.
Hi,
On 4/10/19 11:45 AM, Sebastien Blanc wrote:
a nice solution to persist these kind of "How-to" articles.
I have some
ideas in mind and I will come back to you about this.
YES! We wouold *really* appreciate that, as the area
keycloak/sso/saml/oidc is a difficut one to enter, and the
keycloak-specific examples are very rare.
So, *please* do implement some kind of 'knowledge sharing' platform!
MJ
10:51 a.m.
+1
________________________________________
From: keycloak-user-bounces(a)lists.jboss.org [keycloak-user-bounces(a)lists.jboss.org] on
behalf of mj [lists(a)merit.unu.edu]
Sent: Thursday, April 11, 2019 12:09 AM
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Keycloak and Clever
Hi,
On 4/10/19 11:45 AM, Sebastien Blanc wrote:
a nice solution to persist these kind of "How-to" articles.
I have some
ideas in mind and I will come back to you about this.
YES! We wouold *really* appreciate that, as the area
keycloak/sso/saml/oidc is a difficut one to enter, and the
keycloak-specific examples are very rare.
So, *please* do implement some kind of 'knowledge sharing' platform!
MJ
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
11:19 a.m.
That would be awesome! Thanks. :)
--
*Aaron Echols*
Systems Architect (IT)
Benjamin Franklin Charter School | IT
Email: aechols(a)bfcsaz.com
Phone: (480) 677-8400
Website: http://www.bfcsaz.com
IT Website: https://it.bfcsaz.com
Support Email: techsupport(a)bfcsaz.com
Support Portal: https://bfcs.freshservice.com/support/home
Common Questions: https://bfcs.freshservice.com/support/solutions
Forgot your password: https://accounts.bfcsaz.com
<https://www.facebook.com/bfcsaz/> <https://twitter.com/bfcs_k12>
<https://www.instagram.com/bfcs_k12>
*CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, copy, use, disclosure,
or distribution is prohibited. If you are not the intended recipient,
please contact the sender by reply e-mail and destroy all copies of the
original message.
On Wed, Apr 10, 2019 at 2:46 AM Sebastien Blanc <sblanc(a)redhat.com> wrote:
Hey Aaron !
Thanks a lot for sharing this with the community. And I agree we must find
a nice solution to persist these kind of "How-to" articles. I have some
ideas in mind and I will come back to you about this.
Sebi
On Tue, Apr 9, 2019 at 7:31 PM Aaron Echols <aechols(a)bfcsaz.com> wrote:
> Hi All,
>
> I'm in k12edu and have been working on implementing Clever. I've
> successfully setup and configured Clever as a SP in Keycloak using the
> Active Directory Authentication login method. I wanted to share it here,
> in
> case there are others that would like to use it.
>
> Also, it might be useful to have a wiki in the Keycloak documentation for
> users to contribute how-to articles on configuring services with Keycloak.
> Please consider this. I'd gladly contribute my Clever and Google
> configurations there.
>
> I'm not sure how this is going to format, hopefully, it doesn't get too
> botched. :)
>
> Create new client
>
>
> -
>
> Go to the Clients page under the {your} realm.
> -
>
> Click: Create
> -
>
> Download federation metadata:
> https://clever.com/oauth/saml/metadata.xml
> -
>
> Click: Select file
> -
>
> Browse to the metadata.xml downloaded in the previous step
> -
>
> Click: Save
> -
>
> Set the following options:
>
>
> Setting
>
> Flag/Option/String
>
> Name
>
> {Give it a user facing name}
>
> Enabled
>
> ON
>
> Include AuthnStatement
>
> ON
>
> Sign Documents
>
> ON
>
> Sign Assertions
>
> ON
>
> Signature Algorithm
>
> RSA_SHA256
>
> SAML Signature Key Name
>
> KEY_ID
>
> Canonicalization Method
>
> EXCLUSIVE
>
> Encrypt Assertions
>
> ON
>
> Client Signature Required
>
> OFF
>
> Force POST Binding
>
> ON
>
> Front Channel Logout
>
> ON
>
> Force Name ID Format
>
> ON
>
> Name ID Format
>
> email
>
> Valid Redirect URIs
>
> https://clever.com/oauth/saml/assert
>
> Base URL
>
> /auth/realms/{realm}/protocol/saml/clients/clever&RelayState=true
>
> IDP Initiated SSO URL Name
>
> clever
>
> Assertion Consumer Service POST Binding URL
>
> https://clever.com/oauth/saml/assert
>
> Logout Service POST Binding URL
>
> https://clever.com/oauth/saml/assert
>
> Create Mapper(s)
>
>
> -
>
> Go to: Clients > https://clever.com/oauth/saml/metadata.xml > Edit >
> Mappers > Create
> -
>
> Set the following options:
>
>
> Setting
>
> Flag/Option/String
>
> Name
>
> clever.any.email
>
> Mapper Type
>
> User Property
>
> Property
>
> email
>
> Friendly Name
>
> Email
>
> SAML Attribute Name
>
> clever.any.email
>
> SAML Attribute NameFormat
>
>
> Setting
>
> Flag/Option/String
>
> Name
>
> clever.any.sis_id
>
> Mapper Type
>
> User Property
>
> Property
>
> username
>
> Friendly Name
>
> Username
>
> SAML Attribute Name
>
> clever.any.sis_id
>
> SAML Attribute NameFormat
>
>
> Import Custom idP Metadata
>
>
>
> -
>
> Login to https://clever.com/in/<your-portal>
> -
>
> Go to: Portal > SSO Settings > Add Login Method > Active Directory
> Authentication
> -
>
> Click: or upload metadata file instead (not recommended)
> -
>
> Download and modify the Auth Mellon idp-metadata.xml file from your
> clever client in Keycloak and add the missing information below:
>
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <EntityDescriptor entityID="https://{vip}/auth/realms/{realm}"
>
> xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
>
> xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
>
>
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>
> <IDPSSODescriptor WantAuthnRequestsSigned="true"
>
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>
> <SingleLogoutService
>
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
> Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
>
> <SingleLogoutService
>
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
>
> Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
>
>
>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
>
> <SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
> Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
>
> <SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
>
> Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
>
> <KeyDescriptor use="signing">
>
> <dsig:KeyInfo>
>
> <dsig:KeyName>{kID}</dsig:KeyName>
>
> <dsig:X509Data>
>
> <dsig:X509Certificate>{cert}</dsig:X509Certificate>
>
> </dsig:X509Data>
>
> </dsig:KeyInfo>
>
> </KeyDescriptor>
>
> </IDPSSODescriptor>
>
> </EntityDescriptor>
>
>
> -
>
> Click the cloud symbol with an up arrow through it to upload the
> idp-metadata.xml you created.
> -
>
> Click: Save
> -
>
> You should see a message in green saying: Your settings have been saved
>
>
> References
>
>
>
https://support.clever.com/hc/en-us/articles/218050687-Single-sign-on-SSO...
>
> https://support.clever.com/hc/en-us/articles/215176617
> --
> *Aaron Echols*
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
2073
days inactive
2075
days old
4 comments
4 participants
participants (4)
-
Aaron Echols -
Fox, Kevin M -
mj -
Sebastien Blanc