In the KEYCLOAK console insert the value of App Federation Metadata Url received from the user in the field Import from URL and click Import
Duplicate the value of Single Sign-On Service URL into Single Logout Service URL.Click Save at the bottom of the page
Configure IDP'S Provider Mapper : Email Mapper :RIVO SSO requires that SAMLResponse contain the claim with the user’s email address for map IdP response data to the user, created in RIVO (see Key Points above in this document). For this purpose, the emailMapper should be configured for the IdP provider
Roles Mapper :
Additional note about IdP provider mappers
If owner of the IdP requires that NameID element (the essential part of <Subject>) will have the format other than persistent (which is preferable in RIVO IdP provider), specifically – emailAddress (see the example below), then the additional IdP provider’s mapper - should be configured in Keycloak – see Figure 19 below.
Advanced SAML Configuration in Keycloak IdP provider
IdP can require signing SAML requests, issued by Keycloak. The Keycloak in its turn can be configured to require IdP assertions to be signed and/or encrypted.
To export the IdP provider metadata, click the link shown below :
Example of Keycloak IdP provider metadata
Surecomp should share the link to Keycloak IdP provider’s metadata (or the metadata file) with the IdP owner.
Comments
0 comments
Please sign in to leave a comment.