[keycloak-user] Keycloak and Clever

Wed Apr 10 05:45:57 EDT 2019

Hey Aaron !

Thanks a lot for sharing this with the community. And I agree we must find
a nice solution to persist these kind of "How-to" articles. I have some
ideas in mind and I will come back to you about this.

Sebi

On Tue, Apr 9, 2019 at 7:31 PM Aaron Echols <aechols at bfcsaz.com> wrote:

> Hi All,
>
> I'm in k12edu and have been working on implementing Clever. I've
> successfully setup and configured Clever as a SP in Keycloak using the
> Active Directory Authentication login method. I wanted to share it here, in
> case there are others that would like to use it.
>
> Also, it might be useful to have a wiki in the Keycloak documentation for
> users to contribute how-to articles on configuring services with Keycloak.
> Please consider this. I'd gladly contribute my Clever and Google
> configurations there.
>
> I'm not sure how this is going to format, hopefully, it doesn't get too
> botched. :)
>
> Create new client
>
>
>    -
>
>    Go to the Clients page under the {your} realm.
>    -
>
>    Click: Create
>    -
>
>    Download federation metadata:
> https://clever.com/oauth/saml/metadata.xml
>    -
>
>    Click: Select file
>    -
>
>    Browse to the metadata.xml downloaded in the previous step
>    -
>
>    Click: Save
>    -
>
>    Set the following options:
>
>
> Setting
>
> Flag/Option/String
>
> Name
>
> {Give it a user facing name}
>
> Enabled
>
> ON
>
> Include AuthnStatement
>
> ON
>
> Sign Documents
>
> ON
>
> Sign Assertions
>
> ON
>
> Signature Algorithm
>
> RSA_SHA256
>
> SAML Signature Key Name
>
> KEY_ID
>
> Canonicalization Method
>
> EXCLUSIVE
>
> Encrypt Assertions
>
> ON
>
> Client Signature Required
>
> OFF
>
> Force POST Binding
>
> ON
>
> Front Channel Logout
>
> ON
>
> Force Name ID Format
>
> ON
>
> Name ID Format
>
> email
>
> Valid Redirect URIs
>
> https://clever.com/oauth/saml/assert
>
> Base URL
>
> /auth/realms/{realm}/protocol/saml/clients/clever&RelayState=true
>
> IDP Initiated SSO URL Name
>
> clever
>
> Assertion Consumer Service POST Binding URL
>
> https://clever.com/oauth/saml/assert
>
> Logout Service POST Binding URL
>
> https://clever.com/oauth/saml/assert
>
> Create Mapper(s)
>
>
>    -
>
>    Go to: Clients > https://clever.com/oauth/saml/metadata.xml > Edit >
>    Mappers > Create
>    -
>
>    Set the following options:
>
>
> Setting
>
> Flag/Option/String
>
> Name
>
> clever.any.email
>
> Mapper Type
>
> User Property
>
> Property
>
> email
>
> Friendly Name
>
> Email
>
> SAML Attribute Name
>
> clever.any.email
>
> SAML Attribute NameFormat
>
>
> Setting
>
> Flag/Option/String
>
> Name
>
> clever.any.sis_id
>
> Mapper Type
>
> User Property
>
> Property
>
> username
>
> Friendly Name
>
> Username
>
> SAML Attribute Name
>
> clever.any.sis_id
>
> SAML Attribute NameFormat
>
>
> Import Custom idP Metadata
>
>
>
>    -
>
>    Login to https://clever.com/in/<your-portal>
>    -
>
>    Go to: Portal > SSO Settings > Add Login Method > Active Directory
>    Authentication
>    -
>
>    Click: or upload metadata file instead (not recommended)
>    -
>
>    Download and modify the Auth Mellon idp-metadata.xml file from your
>    clever client in Keycloak and add the missing information below:
>
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <EntityDescriptor entityID="https://{vip}/auth/realms/{realm}"
>
>                   xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
>
>                   xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
>
>                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>
>   <IDPSSODescriptor WantAuthnRequestsSigned="true"
>
>      protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>
>      <SingleLogoutService
>
>         Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
>         Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
>
>  <SingleLogoutService
>
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
>
> Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
>
>
>  <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
>
>      <SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
>         Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
>
>  <SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
>
> Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
>
>      <KeyDescriptor use="signing">
>
>        <dsig:KeyInfo>
>
>          <dsig:KeyName>{kID}</dsig:KeyName>
>
>          <dsig:X509Data>
>
>            <dsig:X509Certificate>{cert}</dsig:X509Certificate>
>
>          </dsig:X509Data>
>
>        </dsig:KeyInfo>
>
>      </KeyDescriptor>
>
>   </IDPSSODescriptor>
>
> </EntityDescriptor>
>
>
>    -
>
>    Click the cloud symbol with an up arrow through it to upload the
>    idp-metadata.xml you created.
>    -
>
>    Click: Save
>    -
>
>    You should see a message in green saying: Your settings have been saved
>
>
> References
>
>
> https://support.clever.com/hc/en-us/articles/218050687-Single-sign-on-SSO-with-a-custom-SAML-connection
>
> https://support.clever.com/hc/en-us/articles/215176617
> --
> *Aaron Echols*
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>