The primary goal of this project is to establish SAML authentication system using Keycloak. This will involve configuring two Keycloak instances: one as the Identity Provider (IdP) and the other as the Service Provider (SP). Additionally, we will have a demo application that will serve as a client secured by the Keycloak SP, ensuring that all authentication workflows are exclusively handled through SAML. This comprehensive setup will demonstrate seamless integration and secure authentication flows between the IdP, SP, and the demo application.
- IdP Initiated Flow
- Service Provider Initiated Flow
sequenceDiagram
actor User
participant IdP as SAML Identity Provider
participant SP as SAML Service Provider
participant Application as Service Provider's <br> OAuth2 Application
User ->> IdP: Logs in with credentials
IdP ->> User: Authenticates user and prepares SAML Response
IdP ->> SP: Sends SAML Response (with user info)
Note over SP: Maps user to an existing account<br>or dynamically creates a new account
SP ->> Application: Issues OAuth2 Authorization Code
SP ->> User: Redirects user to Application with <br>OAuth2 Authorization Code
User ->> Application: Accesses application using <br>OAuth2 Authorization Code
In the IdP Initiated Flow, the process begins at the Identity Provider (IdP). This flow is typically used when a user wants to access a service without having to navigate to the Service Provider (SP) first. Here's how it works:
- User Access: The user navigates directly to the IdP and authenticates. This can be done via a login page or a dashboard.
- SAML Assertion Generation: Once authenticated, the IdP generates a SAML assertion containing information about the user and their authentication status.
- Redirection to SP: The IdP redirects the user to the SP's assertion consumer service URL. This redirection includes the SAML assertion, which is typically transmitted via an HTTP POST request.
- Assertion Validation: The SP receives the assertion and validates it to ensure it is genuine and has not been tampered with. This usually involves checking the signature and the issuer.
- User Access Granted: Upon successful validation, the SP grants access to the user, allowing them to use the service.
- User Experience: Simplifies the login process for users who often access the IdP directly.
- Centralized Authentication: Allows for centralized management of user identities and access controls.
sequenceDiagram
actor User
participant Application as Service Provider's <br> OAuth2 Application
participant SP as SAML Service Provider
participant IdP as SAML Identity Provider
User ->> Application: Requests access
Application ->> SP: Checks if the user is authenticated
SP ->> Application: User is not authenticated
Application ->> SP: Redirects user for authentication
SP ->> IdP: Redirects user for authentication<br>(AuthnRequest)
IdP ->> User: Prompts user to log in
User ->> IdP: Logs in with credentials
IdP ->> SP: Redirects authenticated user<br>(SAML Response)
Note over SP: Maps user to an existing account<br>or dynamically creates a new account
SP ->> User: Redirects authenticated user<br>(OAuth2 Authorization Code)
In the Service Provider Initiated Flow, the user begins at the Service Provider (SP) and is redirected to the Identity Provider (IdP) for authentication. This flow is common when users are accessing a service that requires them to log in. Here's how it works:
- User Access: The user navigates to the SP and tries to access a protected resource.
- Redirection to IdP: The SP detects that the user is not authenticated and redirects them to the IdP's login page. This redirection often includes a SAML request that specifies the SP's details and the requested resource.
- User Authentication: The user enters their credentials on the IdP's login page. Upon successful authentication, the IdP generates a SAML assertion.
- Redirection Back to SP: The IdP redirects the user back to the SP's assertion consumer service URL, including the SAML assertion in the response.
- Assertion Validation: The SP receives and validates the SAML assertion, ensuring that it is legitimate.
- Access Granted: If the assertion is valid, the user is granted access to the requested resource on the SP.
- User Convenience: Users can start at the SP, which is often more intuitive for accessing specific applications.
- Security: Ensures that the user is authenticated before accessing sensitive information or services.
Both flows facilitate Single Sign-On (SSO), allowing users to access multiple services without repeatedly entering credentials, enhancing both user experience and security.
- Removes the extra step for new users, allowing them to log in without asking them to enter their username, first name, and last name during their first login.
- User Properties Mapping: Automatically transfers
firstName
andlastName
from the Identity Provider (IdP) to the Service Provider (SP) user profile. - Email as Username: Uses the user's email from the IdP as their username in the SP for easier access.
- Custom Attribute Support:
- Maps additional information, such as
tenant-id
, to ensure users are linked to the correct tenant. - Allows the assignment of users to specific groups in the SP based on custom attributes from the IdP.
- Maps additional information, such as
./start.sh
Access the setup from http://localhost
IDP Keycloak | SP Keycloak |
---|---|
http://localhost/idp-auth | http://localhost/sp-auth |
Username: admin |
Username: admin |
Password: admin |
Password: admin |
Realm: my-idp |
Realm: my-sp |
Single Sign-on from IdP | Single Sign-out from IdP |
---|---|
1. Open http://localhost/idp | 1. Open http://localhost/idp |
2. Click Open SP App |
2. Click Logout |
3. Enter Username: idpuser , Password: test |
3. You should be logged out from both IdP and SP |
4. Click Sign in |
|
5. You are now logged into both apps |
Single Sign-on from SP | Single Sign-out from SP |
---|---|
1. Open http://localhost/sp | 1. Open http://localhost/sp |
2. Click on SSO with IdP via SAML |
2. Click Logout |
3. Enter Username: idpuser , Password: test |
3. You should be logged out from both IdP and SP |
4. Click Sign in |
|
5. You are now logged into both apps |
1730813929028667.mp4
- Redirections to specific URLs using
RelayState
- Redirections to IdP/SP app on Single Sign-out