[keycloak-user] Keycloak-SAML server integration

[pavlos kaimakis]

Hello,

Currently I’m using keycloak as an IDP connected to an Active Directory server and some bespoke tool I’ve created as an SP (Keycloak client) and everything works as expected. I recently got a request to use SAML for authentication purposes I was thinking if I could use Keycloak as an Identity broker (instead of changing my code to be able to integrate it with the SAML server right away)

So the flow would be ‘my_tool (keycloak client)’ -> Keycloak -> Saml Server -> LDAP.
What I did on the keycloak side was to add an Identity Provider using SAML, having taken some metadata from the SAML server.  At the same time I connected this SAML server with my Active Directory.
Now on the keycloak login page I get a button reading ‘saml’ next to the username/password fields. I click it and i get redirected to my SAMLserver and if I login with my AD credentials , I get a ‘success screen’.
Nonetheless, each time I try to relogin I get an ‘update profile’ page, although I use the same username/password. I’ve observed that the ID changes and this ID seems to be related to the identity_provider_identity field (according to the Keycloak logs). This ID is an alpanumeric string (first column under the ‘users’ tab).

Any ideas what I’m doing wrong? Just to note, that under the SAML Identity Provider I’ve created mappers for the AD attributes, but I haven’t created any mapper under the client option.
Any ideas would be more than welcome.

Regards

Pavlos