Skip to main content
Sign in

Search

RIVO Help

How can we help?

SAML Based SSO configuration using External IDP

Sandhyaselvi Kalaivanan
  • Updated

Configuring Single Sign-On (SSO) using an Identity Provider (IdP) involves setting up your IdP to authenticate users and then configuring your application to trust the IdP for authentication. This allows users to access multiple applications with a single set of credentials, streamlining the login process and enhancing security.

When a user prefers to use his/her own IdP, external to RIVO, then Key cloak can be configured to serve as the IdP provider (essentially, as the SP with the external IdP).

Azure Entra ID is used as an example of an external Identity Provider (IdP) in this case however, Keycloak can be configured as an IdP provider for a wide range of well-known IdPs, supporting various communication protocols.

FEDERATION PROCESS

Due to the nature of SAML federation between two identity systems - Keycloak as an Identity Provider (IdP) provider and Azure Entra ID as the actual IdP — the configuration process is a coordinated, step-by-step exchange of information between both systems.

Each side (RIVO/Keycloak and Azure Entra ID) must complete part of the setup, share metadata or certificates, and sometimes pause to wait for the other side to proceed.

Federation Configuration Steps

  1. Users must be pre-defined in RIVO by an organizational administrator. 

    Login via SSO will only succeed if the user exists in RIVO beforehand.

  2. Initial Setup: Create the Keycloak IdP Provider A new Identity Provider (IdP) should be created in Keycloak, representing Azure Entra.
    • The Redirect URI generated by Keycloak must be sent to the Azure administrator to be used during the Azure application setup.
  3. Configure SAML Application in Azure Entra ID In Azure Entra ID, create a new SAML-based application, with Azure acting as the Identity Provider.
    • Once created, copy the App Federation Metadata URL and send it to the Keycloak administrator.
  4. Complete the Keycloak Identity Provider Setup After receiving Azure's metadata, finalize the Keycloak IdP provider configuration.
    • Then, share Keycloak’s own SAML metadata (either as a link or a file) with the Azure administrator.
  5. Enable Azure to Trust and Encrypt for Keycloak To complete trust:
    • Upload the signing certificate from Keycloak to Azure to validate signed SAMLRequest messages.
    • Upload the encryption certificate to Azure so it can encrypt SAML assertions returned to Keycloak.

Follow the steps below 

  1. Initial Setup - Identity Provider Creation
  2. Creation of SAML Based Application
  3. Set up SAML SSO in the created Enterprise application
  4. Keycloak IdP provider – finish setup after receiving the IdP metadata
  5. Enable Azure to Validate Signed SAML AuthnRequests

 

Comments

0 comments

Please sign in to leave a comment.