Configuring external IdPs in Asgardeo Using SAML Protocol
Hello everyone. In this article let’s discuss how we can connect external identity providers with Asgardeo using the SAML protocol.
If you are looking for “Configuring external IdPs in Asgardeo Using OpenID Connect Protocol”, check out my previous article below.
In this article, I will use the abbreviation “IdP” for the term “Identity Provider”. As you may know, an Identity Provider is responsible for authenticating users and issuing identification information by using security tokens like SAML 2.0, OpenID Connect, OAuth 2.0, and WS-Trust.
To know more about identity providers, you can refer to the Asgardeo documentation about authentication.
To demonstrate the scenario I will be using deployed a Keycloak instance and sample React application with Asgardeo auth React SDK integration. You can find how to integrate Asgardeo React SDK into your existing React application from my previous article below.
If you are interested in trying out keycloak, you can try the free plan of keylock deployment from below.
Connect external IdP with Asgardeo Using SAML Protocol
With Asgardeo you can integrate different identity providers with the SAML protocol. This can be done in easy 3 steps.
- Configuring Asgardeo as a service provider in Keycloak
- Create a new connection in the Asgardeo console for Keycloak
- Configure our new connection with keycloak information
Optional: You can change the realm name as you want from the “Realm Settings”
1. Configuring Asgardeo as a service provider in Keycloak
- Click on “create” to configure Asgardeo as a service provider in keycloak.
- Configure new client by entering Client ID with the following format and select “saml” from the dropdown as Client Protocol.
Ignore Client SAML Endpoint for now.
Client ID: https://{host-name}/auth/realms/{realm-name}/saml-1
- Click “Save”. After that, you will be redirected to a page like this.
- Configure the below fields.
# switch OFF the Client Signature Required for now.
# Add “Valid Redirect URL” with the following format
https://api.asgardeo.io/t/{organization_name}/commonauth# Expand the Fine Grain SAML Endpoint Configuration section and add the below values to the respective fields.
Assertion Consumer Service POST Binding URL :
https://api.asgardeo.io/t/{organization_name}/commonauthAssertion Consumer Service Redirect Binding URL:
https://api.asgardeo.io/t/{organization_name}/commonauthLogout Service POST Binding URL:
https://api.asgardeo.io/t/{organization_name}/commonauth
- Click Save.
- The configuration would be like below.
2. Create a new connection in the Asgardeo console for Keycloak
In this step, we will create a new connection in the Asgardeo console for keycloak. You can find more about configuring enterprise IdPs in the Asgardeo console from the following documentation.
- Go to Develop -> Connections on Asgardeo Console and click on “New Connection”
- Select “Standard-Based IdP”
- Enter a name for identity provider and select SAML as the protocol.
- Click Next.
3. Configure our new connection with keycloak information
- Enter Client ID value of the service provider(client) in Keycloak as the Service provider entity ID value.
Service provider entity ID:
https://{host-name}/auth/realms/{realm-name}/saml-1- Select Manual Configuration
Identity provider Single Sign-On URL:
https://{host}/auth/realms/{realm-name}/protocol/samlIdentity provider entity ID:
https://{host}/auth/realms/{realm-name}
- Click Next.
- Get the certificate from the keycloak realm settings. Make sure to get the correct certificate for the Use type SIG.
- Enter the extracted certificate value. The format should be as follows.
-----BEGIN CERTIFICATE-----
<Certificate value extracted from the realm>
-----END CERTIFICATE-----
- Click Finish. You will be redirected to our newly configured IDP configuration page.
- Go to the Settings tab.
- After scrolling down you will be able to find the configuration section related to Single Logout.
- Change the configurations as below. and enter the IDP logout URL with the following format.
https://{host}/auth/realms/{realm}/protocol/saml/logout
- Click Update from the bottom of the IDP configuration page.
Now we completed the steps on how to configure an external standard identity provider (in this case Keycloak) using the SAML protocol in Asgardeo.
Next, Let’s discuss how we can use this connection for login to an application.
Log in to an Application using External Identity Provider Connection
we can achieve this by following below two steps.
- Create a new user in Keycloak to log in to our sample application.
- Add our new keycloak connection to an existing application as a sign-in option.
1. Create a new user in Keycloak to log in to our sample application
- To see all the existing users click on “View all users”.
- we can add a new user by clicking on the “Add user” button. Enter relevant information to the fields like below.
- Click Save.
- Click on the “Credentials” tab and enter a new password and click “Set Password”. Change the value of the Temporary field from ON to OFF.
2. Add our new keycloak connection to an existing application as a sign-in option
As we have a new external IdP connection in Asgardeo, we can use it to log in to our applications as a new sign-in option. To demonstrate this I will use an existing SPA React application that I have already registered in the Asgardeo console.
You can find how we can integrate Asgardeo into existing React applications from my previous article below.
Also, you can find the sample react application source code I am using for this demonstration below.
- To add a new Sign-In option to an application, click on the Sign-In Method tab of your application on the Asgardeo console.
- Click “Add Authentication”
- Select the connection and click Add.
- Finally, click Update.
Let’s try to login into our application.
As you can see now we have our new sign-in method with Keycloak IdP we have configured. Let’s log in to our application using this option with the user’s credentials we have created on keycloak earlier.
Bravo! Login is successful.
Try to log out from the application by clicking the LOGOUT button at the bottom of the page and it will be also successful.
So, hope you got some idea about how to configure external enterprise identity providers using the SAML protocol.
Thank you for reading this article.
