SSO IntegrationsApplicationsSetup GuidesKeycloak

Keycloak SAML Integration Setup Guide

In this guide, we will cover how to set up Descope as a federated Identity Provider (IdP) using Security Assertion Markup Language (SAML) to implement authentication for applications that currently use Keycloak.

Configuring Keycloak SSO

Descope will act as the SAML IdP so that Descope can be used for authentication while Keycloak remains the primary user management solution.

This will allow you to have the versatility and customizability of Descope Flows in the authentication process without having to migrate all users from Keycloak.

Configuring Descope as a SAML IdP on Keycloak

After installing Keycloak and running it on your local machine, navigate to the Identity Providers section of the menu.

Creating a new SAML provider in Keycloak

Select SAML 2.0 to create a new identity provider. This is where the Descope Application information will be entered.

Now in the Descope Console, navigate to the Applications page and create a new application by pressing the create button in the top right. Make sure the new application that is being created is using SAML.

Creating a new SAML Application in Descope

After creating the Application in Descope, copy the Descope Metadata (XML) from the Application settings and enter it as the SAML entity descriptor in Keycloak. Keycloak requires a single logout service URL which Descope does not provide so any generic URL can be used in this place, enable backchannel logout instead. Then set the NameID policy format to Email and press add.

Setting up Descope as the IdP in Keycloak

Configuring Keycloak as a SAML Application on Descope

Now in the Descope Console, enter the information about the Service Provider. Entering the connection details manually:

  • ACS URL: http(s)://host:port/realms/realm-name/broker/IdP-name/endpoint
  • Entity ID: http(s)://host:port/realms/realm-name

Setting up Keycloak as the SP in Descope

Make sure the SAML Assertion Subject Type is also set to Email and Email is mapped to NameID.

SSO is now enabled for Keycloak. Be sure to grant new users roles and permissions in Keycloak so that they can utilize the Keycloak console.

Log in screen with SSO

Get started by going to the Applications page in your Descope Console! You can read more about SSO Applications here.

If you have any other questions about Descope or our flows, feel reach to reach out to us!

Was this helpful?

Previous

OIDC

Next

Metabase (SAML)

On this page

Keycloak SAML Integration Setup GuideConfiguring Keycloak SSOConfiguring Descope as a SAML IdP on KeycloakConfiguring Keycloak as a SAML Application on Descope