SSO IntegrationsTenants / Custom ProvidersSetup GuidesKeycloak

SAML

In this guide, we will cover how to set up Keycloak as a Security Assertion Markup Language (SAML) Identity Provider (IdP) to implement SSO for any Descope project.

Configuring SSO with Keycloak

1. Create the Tenant in Descope

From the Tenants page in the Descope Console, create a new Tenant in the top right of the page.

Creating a new OIDC SSO tenant in Descope

In the Tenant settings, add your tenant's email domain then navigate to Authentication methods, then SSO and select SAML. Add the same email domain as the SSO Domain for the tenant.

Creating the tenant in Descope

Then under SSO Configuration, select enter the connection details manually and enter the following information:

  • SSO URL: https://your_keycloak_url/realms/your_keycloak_realm/protocol/saml
  • Entity ID: https://your_keycloak_url/realms/your_keycloak_realm

Configuring the IdP in Descope

The certificate will be added later. Then set the Subject NameID Format to Email.

2. Creating the SAML Client in Keycloak

In Keycloak, navigate to Clients and create a new client. Set the client type to SAML and the client ID to the Descope Entity ID from your new tenant's SSO settings under Service Provider.

Copy the ACS URL from the tenant's settings and paste it into the Valid redirect URL in Keycloak. Also include the beginning of the URL as the root URL in Keycloak.

Note: The ACS URL and root URL will be different if a custom CNAME is configured.

SP information in Keycloak

Set the name ID format to email, enable include AuthnStatement, optimize REDIRECT signing key lookup, and sign documents in Keycloak.

Then go to the Keys tab and activate client signature. After activating it, download the Request Signing Key from the tenant's settings in Descope and upload it as the client signature certificate.

Download key in Descope

Client signature in Keycloak

Now under client scopes, delete the role_list scope. In the client's scope settings, add predefined mappers for role list and X500 email.

Adding role mappers to the scope

Then navigate to Realm Settings in Keycloak and go to the Keys tab. Here, view the RS256 certificate and copy it. Paste it into the certificate space in SSO Configuration in Descope. Then under SSO Mapping, map the IdP user value email to the Email Descope user attribute.

If more attributes need to be mapped, add the predefined mapper in the client's scope settings and include it in the SSO Mapping section of the new Tenant's settings. To map groups/roles in Descope, make sure the role list mapper is added to the client scope in Keycloak. Then, map the Keycloak role to a Descope role in the Tenant's settings under SSO Mapping in the Descope Console. The name of the attribute in the SAML assertion can be changed by modifying the role attribute name under the role list mapper in Keycloak. The mapper can also be configured in Keycloak to have all roles under one attribute value or have each role under its own attribute.

You can now add the SSO action step to a Descope flow to authenticate with SAML SSO. Make sure to use an email with the domain that you used earlier.

Get started by going to the Tenants page in your Descope Console! You can read more about SSO Tenants here.

If you have any other questions about Descope or our flows, feel reach to reach out to us!

Was this helpful?

Previous

OIDC

Next

Okta

On this page

SAMLConfiguring SSO with Keycloak1. Create the Tenant in Descope2. Creating the SAML Client in Keycloak