Gsuite SAML app with Keycloak (IDP Initiated SSO)
To create new gsuite SAML app with keycloak in SSO (IDP initiated Flow) create a new saml app in gsuite dashboard by following steps.
Go to the admin dashboard and click on Apps
After this click on SAML apps
Create a new App with by clicking in Plus(+) float button
This will pop up a new window with some information.
Click on SETUP MY OWN CUSTOM APP to create a new custom app. If your service provider is already present in the given list then click on that.
After clicking we get SSO URL, ENTITY ID, and CERTIFICATE
There are two options for getting configuration data:
1. Either copy these three things
2. or Just download XML file with IDP meta data.
Download the IDP Metadata XML file. We will use this XML file to configure Keycloak on Service Provider`s end.
Click Next after download
Go to Keycloak dashboard
Create a new realm and Client.
Create new realm and then create new Identity Provider.
Scroll down and click on import file. Choose the downloaded IDP Metadata file and click on import after that save the Identity Provider
This will look like following picture.
After saving it click on the export tab and copy ACS url and Entity Id.
Copy Entity Id and ACS Url from the SAML code.
Back to Admin Dashboard
Choose name for app, provide description and upload logo for your app.
ACS Url is the url where SAML response from IDP will process.
Entity Id is the unique id for SSO. This is basically a realm URL.
Paste ACS Url and Entity ID which is copied from Keycloak dashboard. You can also change Name Id Format. Click on save.
Now create Attribute Mapping for use in Keykloak for SSO Authentication.
Here we can choose attribute name, type and value. Here firstName, lastName, email are the attribute name. We will receive these attributes in SAML response.
Now SAML App is configured but it is not in used.
To turn on the app. Go to Apps > SAML Apps > Your App Name
Click on ON for everyone and save.
We are done on Admin Dashboard side.
Now Again on Keycloak Dashboard
Go to the clients tab and create new client.
Client Id: Unique Id for client
Enabled: ON
Client protocol: saml
Name ID Format: email ( keep this same as in gsuite saml app )
Base Url: Your apps base url
IDP Initiated SSO URL Name: unique name
In Fine Grain SAML Endpoint Configrution
Assertion Consumer Service POST Binding URL: url where you want to send app control after saml auth complition
Logout Service POST Binding URL: logout url after logout response from IDP
All Done!!!!!!!!!!
