[keycloak-user] Keycloak and Clever
Aaron Echols
aechols at bfcsaz.com
Thu Apr 11 12:19:16 EDT 2019
That would be awesome! Thanks. :)
--
*Aaron Echols*
Systems Architect (IT)
Benjamin Franklin Charter School | IT
Email: aechols at bfcsaz.com
Phone: (480) 677-8400
Website: http://www.bfcsaz.com
IT Website: https://it.bfcsaz.com
Support Email: techsupport at bfcsaz.com
Support Portal: https://bfcs.freshservice.com/support/home
Common Questions: https://bfcs.freshservice.com/support/solutions
Forgot your password: https://accounts.bfcsaz.com
<https://www.facebook.com/bfcsaz/> <https://twitter.com/bfcs_k12>
<https://www.instagram.com/bfcs_k12>
*CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, copy, use, disclosure,
or distribution is prohibited. If you are not the intended recipient,
please contact the sender by reply e-mail and destroy all copies of the
original message.
On Wed, Apr 10, 2019 at 2:46 AM Sebastien Blanc <sblanc at redhat.com> wrote:
> Hey Aaron !
>
> Thanks a lot for sharing this with the community. And I agree we must find
> a nice solution to persist these kind of "How-to" articles. I have some
> ideas in mind and I will come back to you about this.
>
> Sebi
>
>
> On Tue, Apr 9, 2019 at 7:31 PM Aaron Echols <aechols at bfcsaz.com> wrote:
>
>> Hi All,
>>
>> I'm in k12edu and have been working on implementing Clever. I've
>> successfully setup and configured Clever as a SP in Keycloak using the
>> Active Directory Authentication login method. I wanted to share it here,
>> in
>> case there are others that would like to use it.
>>
>> Also, it might be useful to have a wiki in the Keycloak documentation for
>> users to contribute how-to articles on configuring services with Keycloak.
>> Please consider this. I'd gladly contribute my Clever and Google
>> configurations there.
>>
>> I'm not sure how this is going to format, hopefully, it doesn't get too
>> botched. :)
>>
>> Create new client
>>
>>
>> -
>>
>> Go to the Clients page under the {your} realm.
>> -
>>
>> Click: Create
>> -
>>
>> Download federation metadata:
>> https://clever.com/oauth/saml/metadata.xml
>> -
>>
>> Click: Select file
>> -
>>
>> Browse to the metadata.xml downloaded in the previous step
>> -
>>
>> Click: Save
>> -
>>
>> Set the following options:
>>
>>
>> Setting
>>
>> Flag/Option/String
>>
>> Name
>>
>> {Give it a user facing name}
>>
>> Enabled
>>
>> ON
>>
>> Include AuthnStatement
>>
>> ON
>>
>> Sign Documents
>>
>> ON
>>
>> Sign Assertions
>>
>> ON
>>
>> Signature Algorithm
>>
>> RSA_SHA256
>>
>> SAML Signature Key Name
>>
>> KEY_ID
>>
>> Canonicalization Method
>>
>> EXCLUSIVE
>>
>> Encrypt Assertions
>>
>> ON
>>
>> Client Signature Required
>>
>> OFF
>>
>> Force POST Binding
>>
>> ON
>>
>> Front Channel Logout
>>
>> ON
>>
>> Force Name ID Format
>>
>> ON
>>
>> Name ID Format
>>
>> email
>>
>> Valid Redirect URIs
>>
>> https://clever.com/oauth/saml/assert
>>
>> Base URL
>>
>> /auth/realms/{realm}/protocol/saml/clients/clever&RelayState=true
>>
>> IDP Initiated SSO URL Name
>>
>> clever
>>
>> Assertion Consumer Service POST Binding URL
>>
>> https://clever.com/oauth/saml/assert
>>
>> Logout Service POST Binding URL
>>
>> https://clever.com/oauth/saml/assert
>>
>> Create Mapper(s)
>>
>>
>> -
>>
>> Go to: Clients > https://clever.com/oauth/saml/metadata.xml > Edit >
>> Mappers > Create
>> -
>>
>> Set the following options:
>>
>>
>> Setting
>>
>> Flag/Option/String
>>
>> Name
>>
>> clever.any.email
>>
>> Mapper Type
>>
>> User Property
>>
>> Property
>>
>> email
>>
>> Friendly Name
>>
>> Email
>>
>> SAML Attribute Name
>>
>> clever.any.email
>>
>> SAML Attribute NameFormat
>>
>>
>> Setting
>>
>> Flag/Option/String
>>
>> Name
>>
>> clever.any.sis_id
>>
>> Mapper Type
>>
>> User Property
>>
>> Property
>>
>> username
>>
>> Friendly Name
>>
>> Username
>>
>> SAML Attribute Name
>>
>> clever.any.sis_id
>>
>> SAML Attribute NameFormat
>>
>>
>> Import Custom idP Metadata
>>
>>
>>
>> -
>>
>> Login to https://clever.com/in/<your-portal>
>> -
>>
>> Go to: Portal > SSO Settings > Add Login Method > Active Directory
>> Authentication
>> -
>>
>> Click: or upload metadata file instead (not recommended)
>> -
>>
>> Download and modify the Auth Mellon idp-metadata.xml file from your
>> clever client in Keycloak and add the missing information below:
>>
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>>
>> <EntityDescriptor entityID="https://{vip}/auth/realms/{realm}"
>>
>> xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
>>
>> xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
>>
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>>
>> <IDPSSODescriptor WantAuthnRequestsSigned="true"
>>
>> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>>
>> <SingleLogoutService
>>
>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>>
>> Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
>>
>> <SingleLogoutService
>>
>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
>>
>> Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
>>
>>
>> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
>>
>> <SingleSignOnService
>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>>
>> Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
>>
>> <SingleSignOnService
>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
>>
>> Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
>>
>> <KeyDescriptor use="signing">
>>
>> <dsig:KeyInfo>
>>
>> <dsig:KeyName>{kID}</dsig:KeyName>
>>
>> <dsig:X509Data>
>>
>> <dsig:X509Certificate>{cert}</dsig:X509Certificate>
>>
>> </dsig:X509Data>
>>
>> </dsig:KeyInfo>
>>
>> </KeyDescriptor>
>>
>> </IDPSSODescriptor>
>>
>> </EntityDescriptor>
>>
>>
>> -
>>
>> Click the cloud symbol with an up arrow through it to upload the
>> idp-metadata.xml you created.
>> -
>>
>> Click: Save
>> -
>>
>> You should see a message in green saying: Your settings have been saved
>>
>>
>> References
>>
>>
>> https://support.clever.com/hc/en-us/articles/218050687-Single-sign-on-SSO-with-a-custom-SAML-connection
>>
>> https://support.clever.com/hc/en-us/articles/215176617
>> --
>> *Aaron Echols*
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
More information about the keycloak-user
mailing list