Keycloak SAML Integration Setup Guide
In this guide, we will cover how to set up Descope as a federated Identity Provider (IdP) using Security Assertion Markup Language (SAML) to implement authentication for applications that currently use Keycloak.
Configuring Keycloak SSO
Descope will act as the SAML IdP so that Descope can be used for authentication while Keycloak remains the primary user management solution.
This will allow you to have the versatility and customizability of Descope Flows in the authentication process without having to migrate all users from Keycloak.
Configuring Descope as a SAML IdP on Keycloak
After installing Keycloak and running it on your local machine, navigate to the Identity Providers section of the menu.
Select SAML 2.0 to create a new identity provider. This is where the Descope Application information will be entered.
Now in the Descope Console, navigate to the Applications page and create a new application by pressing the create button in the top right. Make sure the new application that is being created is using SAML.
After creating the Application in Descope, copy the Descope Metadata (XML) from the Application settings and enter it as the SAML entity descriptor in Keycloak. Keycloak requires a single logout service URL which Descope does not provide so any generic URL can be used in this place, enable backchannel logout instead. Then set the NameID policy format to Email and press add.
Configuring Keycloak as a SAML Application on Descope
Now in the Descope Console, enter the information about the Service Provider. Entering the connection details manually:
- ACS URL: http(s)://host:port/realms/realm-name/broker/IdP-name/endpoint
- Entity ID: http(s)://host:port/realms/realm-name
Make sure the SAML Assertion Subject Type is also set to Email and Email is mapped to NameID.
SSO is now enabled for Keycloak. Be sure to grant new users roles and permissions in Keycloak so that they can utilize the Keycloak console.
Get started by going to the Applications page in your Descope Console! You can read more about SSO Applications here.
If you have any other questions about Descope or our flows, feel reach to reach out to us!