[keycloak-user] Keycloak and Clever
Aaron Echols
aechols at bfcsaz.com
Tue Apr 9 13:26:04 EDT 2019
Hi All,
I'm in k12edu and have been working on implementing Clever. I've
successfully setup and configured Clever as a SP in Keycloak using the
Active Directory Authentication login method. I wanted to share it here, in
case there are others that would like to use it.
Also, it might be useful to have a wiki in the Keycloak documentation for
users to contribute how-to articles on configuring services with Keycloak.
Please consider this. I'd gladly contribute my Clever and Google
configurations there.
I'm not sure how this is going to format, hopefully, it doesn't get too
botched. :)
Create new client
-
Go to the Clients page under the {your} realm.
-
Click: Create
-
Download federation metadata: https://clever.com/oauth/saml/metadata.xml
-
Click: Select file
-
Browse to the metadata.xml downloaded in the previous step
-
Click: Save
-
Set the following options:
Setting
Flag/Option/String
Name
{Give it a user facing name}
Enabled
ON
Include AuthnStatement
ON
Sign Documents
ON
Sign Assertions
ON
Signature Algorithm
RSA_SHA256
SAML Signature Key Name
KEY_ID
Canonicalization Method
EXCLUSIVE
Encrypt Assertions
ON
Client Signature Required
OFF
Force POST Binding
ON
Front Channel Logout
ON
Force Name ID Format
ON
Name ID Format
email
Valid Redirect URIs
https://clever.com/oauth/saml/assert
Base URL
/auth/realms/{realm}/protocol/saml/clients/clever&RelayState=true
IDP Initiated SSO URL Name
clever
Assertion Consumer Service POST Binding URL
https://clever.com/oauth/saml/assert
Logout Service POST Binding URL
https://clever.com/oauth/saml/assert
Create Mapper(s)
-
Go to: Clients > https://clever.com/oauth/saml/metadata.xml > Edit >
Mappers > Create
-
Set the following options:
Setting
Flag/Option/String
Name
clever.any.email
Mapper Type
User Property
Property
email
Friendly Name
Email
SAML Attribute Name
clever.any.email
SAML Attribute NameFormat
Setting
Flag/Option/String
Name
clever.any.sis_id
Mapper Type
User Property
Property
username
Friendly Name
Username
SAML Attribute Name
clever.any.sis_id
SAML Attribute NameFormat
Import Custom idP Metadata
-
Login to https://clever.com/in/<your-portal>
-
Go to: Portal > SSO Settings > Add Login Method > Active Directory
Authentication
-
Click: or upload metadata file instead (not recommended)
-
Download and modify the Auth Mellon idp-metadata.xml file from your
clever client in Keycloak and add the missing information below:
<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor entityID="https://{vip}/auth/realms/{realm}"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<IDPSSODescriptor WantAuthnRequestsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
<KeyDescriptor use="signing">
<dsig:KeyInfo>
<dsig:KeyName>{kID}</dsig:KeyName>
<dsig:X509Data>
<dsig:X509Certificate>{cert}</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</KeyDescriptor>
</IDPSSODescriptor>
</EntityDescriptor>
-
Click the cloud symbol with an up arrow through it to upload the
idp-metadata.xml you created.
-
Click: Save
-
You should see a message in green saying: Your settings have been saved
References
https://support.clever.com/hc/en-us/articles/218050687-Single-sign-on-SSO-with-a-custom-SAML-connection
https://support.clever.com/hc/en-us/articles/215176617
--
*Aaron Echols*
More information about the keycloak-user
mailing list