Summary
Information about how to configure Keycloak to interact with your SAML system.
Enabling and configuring a new authentication mode will NOT disable any existing authentication modes configured in Keycloak. Therefore, CAST highly recommends that you disable all existing authentication methods before adding a new one: in most cases this will involve disabling or deleting the "local" users provided with CAST Console or any that you have created yourself:
Process
- See https://www.keycloak.org/docs/latest/server_admin/#_saml for more information.
- SAML authentication requires that Console is functioning in SSL (https) mode - see Changing Console port number - activating HTTPS - for Console 2.x for more information about that.
- Your network administrator will need to provide an Identity Provider XML metadata file - this is used to automatically populate the required fields in the SAML configuration settings within Keycloak.
To authenticate in Console with your on premises SAML identity provider, you will need to set up Keycloak in "Service Provider" mode. To do so, click the Identity Providers option on the left then choose SAML v2.0 in the dropdown:
Click to enlarge
Now import the Identity Provider XML metadata file (this is the file generated by your network administrator), either via a URL or import the file manually:
Click to enlarge
When you click Save, Keycloak will then automatically retrieve the information from the Identity Provider XML metadata file and display it in the UI, populating the required fields:
Ensure the Backchannel Logout option is enabled if you require backend logout.
When fully configured, the login page for Keycloak will show an additional login button (highlighted below) with the alias defined when adding SAML as an identity provider:
When the "login with saml" button is clicked, you will be redirected to your internal SAML login page, and then when a successful login has occurred, the user will be redirected direct to the Console home page.
By default users/groups from SAML will not have any roles assigned to them, so at least one SAML user (or group) will need to be granted the ADMIN and dashboards_admin roles (this will grant the global Console admin role and the global dashboards role (access all applications)) via the Keycloak role mappings section in the first instance:
Click to enlarge
Any additional users/groups that need to log in to Console or access CAST Dashboards will also need to be granted appropriate access roles:
- either the admin or application_owner role to access Console (admin grants full rights to everything, application_owner grants only rights to access applications and not the Admin Center).
- any one of the Dashboard roles as discussed here:
- dashboards_admin
- dashboards_exclusion_manager
- dashboards_quality_automation_manager
- dashboards_quality_manager
- Note that users assigned the application_owner role will not be able to view existing applications created by other users. To allow them to do so, you will need to assign them the resource level resource owner role in Console itself, see Administration Center - Security - User Roles.
