Keycloak SAML Setup

Create a new SAML configuration in Kasm

  1. Log into the Kasm UI as an administrator.

  2. Select Access Management -> Authentication -> SAML -> Add Configuration

  3. The SAML 2.0 Configuration page will auto-generate the Entity ID, Single Sign On Service, Single Logout Server, and Relay State values.

  4. Check Enable and enter a Display Name. e.g (Keycloak)

  5. Enter the Hostname for the workspaces deployment (e.g my.kasm.server).

  6. Check Default.

  7. Enter Role in Group Member Attribute.

  8. Enter username in NameID Attribute.

../../_images/kasm_saml_configuration.webp

Kasm SAML Configurations

  1. Check Debug. Disable this setting after testing is complete.

  2. Leave this page open and continue to the next steps.

Realm SAML Settings

  1. Navigate to the Keycloak Admin Portal. Select the desired Realm (e.g Myrealm) then select Realm Settings.

  2. Click on SAML 2.0 Identity Provider Metadata.

../../_images/realm_settings1.png

Realm Settings

  1. Copy the following items from the XML document to the Identity Provider section of the SAML configuration in Workspaces.

Keycloak Property

Azure Property Name

entityID

Entity ID

ds:X509Certificate

X509 Certificate

md:SingleLogoutService..HTTP-POST

Single Logout Service/SLO Endpoint

md:SingleSignOnService..HTTP-POST

Single Sign On Service/SAML 2.0 Endpoint
../../_images/keycloak_xml.png

SAML XML

  1. In the Advanced Settings of the Workspaces SAML configuration, check Want Assertions Signed.

  2. In the Advanced Settings of the Workspaces SAML configuration, set Signature Algorithm to rsa-sha256.

  3. Click Save.

../../_images/kasm_idp_configs.webp

Identity Provider

  1. Select Edit next to the new Saml config as these settings will need to be referenced in th following sections.

Add a new client in Keycloak

  1. Navigate to the Keycloak Admin Portal. Select the desired Realm (e.g Myrealm) then select Clients.

../../_images/clients.png

Keycloak Portal

  1. In the Clients window select Create.

  2. In the Client ID field the value found in the Entity ID from the Service Provider sections in the Workspaces SAML configuration form.

  3. Select saml as the Client Protocol and click Save.

../../_images/add_client1.png

Add Client

Client Configurations

  1. Enter a value for the Name field (e.g Kasm Workspaces).

  2. Ensure Sign Assertions is set to On.

  3. Ensure Client Signature Required is set to Off.

  4. Ensure Force Name ID Format is set to On.

5. Update Valid Redirect URLs with a wildcard entry for the Workspaces deployment (e.g https://my.kasm.server/* ).

  1. Update the Base URL with the URL of the Workspaces deployment (e.g https://my.kasm.server).

../../_images/client_configs.png

Client Configurations

  1. Copy the Service Provider entries from the Kasm SAML Configurations started in the previous section into the Basic SAML configurations and click Save.

Keycloak Property

Azure Property Name

Master SAML Processing URL

Single Sign On Service

Logout Service POST Binding URL

Single Logout Service
../../_images/saml_url_config.png

SAML URL Configurations

Adjust Single Role Attribute in Keycloak

  1. Navigate to the Keycloak Admin Portal. Select the desired Realm (e.g Myrealm) then select Client Scopes.

../../_images/client_scopes.png

Keycloak Portal

  1. Select role_list (saml).

  2. Select the Mappers tab.

  3. Select role list.

  4. Set Single Role Attribute to On, then click Save.

../../_images/role_list.png

Role List

Testing Access

  1. Log out of the Kasm UI if already logged in.

  2. Navigate to the Kasm UI login page.

../../_images/kasm_login3.webp

Kasm Login

  1. Click Keycloak to initiate the SAML SSO process.

../../_images/keycloak_login.png

Keycloak Login

Mapping Roles

During the SAML authentication process , Keycloak will send a list of the user’s roles. These can be mapped to Kasm Groups.

  1. Navigate to the Keycloak Admin Portal. Select the desired Realm (e.g Myrealm) then select Roles.

../../_images/roles.png

Keycloak Portal

  1. Select Add Role.

  2. Name the role kasm_admins then click Save.

../../_images/create_role.png

Create Role

  1. Select Users from the Keycloak menu, then click the ID next to the desired user.

../../_images/user_selection.png

User Selection

  1. Select the Role Mappings tab.

  2. Select kasm_admins from the Available Roles then click Add selected.

  3. Log into the Kasm UI as an administrator.

  4. Select Access Management -> Groups, then click Add Group.

  5. Name the Group Keycloak Kasm Admins and give it a priority (e.g 10).

  6. Save the new group by clicking Save.

../../_images/create_group.webp

Create Group

  1. On the Groups screen, using the arrow menu select Edit on the group that was just created.

  2. Navigate to the SSO Group Mappings tab and select Add SSO Mapping.

  3. Select the SAML IDP that was created above “SAML - Keycloak” for the SSO Provider.

  4. Enter kasm_admins as the Group Attributes then click Submit.

../../_images/create_sso_group_mapping.webp

Add SSO Group Mapping

  1. Using the arrow menu select Edit next to the Keycloak Kasm Admins Group.

  2. Click Add Settings in the Settings section.

  3. Select administrator from the dropdown , select True, then Submit.

  4. Log out of Kasm, and back in via SAML as the previously assigned user. The user should now be mapped to the Keycloak Kasm Admins a group.