Hanzo
PlatformHanzo IAMProvidersSAML

Keycloak SAML

Use Keycloak as a SAML IdP for Hanzo IAM sign-in.

Keycloak is an open-source IdP that supports SAML and OpenID Connect and can broker LDAP or other SAML IdPs. This guide configures a Keycloak SAML client and Hanzo IAM so Keycloak users can sign in to Hanzo IAM.

Configure Keycloak

Example assumptions:

  • Hanzo IAM: UI at http://localhost:7001, API at http://localhost:8000. Adjust for your deployment.
  • Keycloak: UI at http://localhost:8080/auth.
  • SP ACS URL and Entity ID: http://localhost:8000/api/acs.

:::note

The /api/acs endpoint only accepts POST requests. Ensure Keycloak is configured to use HTTP POST binding for SAML responses.

:::

Use the default realm or create a new one.

Add Keycloak realm

Keycloak realm

Add a client entry in Keycloak

:::info See Keycloak client SAML configuration. :::

Click Clients in the menu and then click Create to go to the Add Client page. Fill in the fields as follows:

  • Client ID: http://localhost:8000/api/acs - This will be the SP Entity ID used in the Hanzo IAM configuration later.
  • Client Protocol: saml.
  • Client SAML Endpoint: http://localhost:8000/api/acs - This URL is where you want the Keycloak server to send SAML requests and responses. Generally, applications have one URL for processing SAML requests. Multiple URLs can be set in the Settings tab of the client.

Add Keycloak client

Click Save. This action creates the client and brings you to the Settings tab.

The following are part of the settings:

  1. Name — e.g. Hanzo IAM; any friendly name for the Keycloak UI.
  2. Enabled - Select on.
  3. Include Authn Statement - Select on.
  4. Sign Documents - Select on.
  5. Sign Assertions - Select off.
  6. Encrypt Assertions - Select off.
  7. Client Signature Required - Select off.
  8. Force Name ID Format - Select on.
  9. Name ID Format - Select username.
  10. Valid Redirect URIs - Add http://localhost:8000/api/acs.
  11. Master SAML Processing URL - http://localhost:8000/api/acs.
  12. Fine Grain SAML Endpoint Configuration
    1. Assertion Consumer Service POST Binding URL - http://localhost:8000/api/acs.
    2. Assertion Consumer Service Redirect Binding URL - http://localhost:8000/api/acs.

Save the configuration.

Configure Keycloak client

:::tip

To sign the authn request: enable Client Signature Required and upload your certificate. Hanzo IAM’s private key and certificate (token_jwt_key.key, token_jwt_key.pem) are in the object directory. In Keycloak open KeysImportArchive FormatCertificate PEM and upload the certificate.

:::

Click Installation tab.

For Keycloak <= 5.0.0, select Format Option - SAML Metadata IDPSSODescriptor and copy the metadata.

For Keycloak 6.0.0+, select Format Option - Mod Auth Mellon files and click Download. Unzip the downloaded.zip, locate idp-metadata.xml, and copy the metadata.

Download metadata

Copy metadata

Configure in Hanzo IAM

Create a new provider in Hanzo IAM.

Select category as SAML, type as Keycloak. Copy the content of metadata and paste it into the Metadata field. The values of Endpoint, IdP, and Issuer URL will be generated automatically after clicking the Parse button. Finally, click the Save button.

:::tip

If Client Signature Required is enabled in Keycloak and you uploaded a certificate, enable Sign request in Hanzo IAM.

:::

Hanzo IAM provider

Edit the application you want to configure in Hanzo IAM. Select the provider you just added and click the Save button.

Add provider for app

Test

Open the application’s login page; a Keycloak option appears. Click it to sign in via Keycloak; after success you are logged into Hanzo IAM.

Hanzo IAM login

How is this guide?

Last updated on

Google Workspace

Using Google Workspace as SAML IdP

Alibaba Cloud IDaaS SAML

Use Alibaba Cloud IDaaS (EIAM) as a SAML IdP for Hanzo IAM.

On this page

Configure Keycloak
Add a client entry in Keycloak
Configure in Hanzo IAM
Test