Configuring external IdPs in Asgardeo Using SAML Protocol

Hello everyone. In this article let’s discuss how we can connect external identity providers with Asgardeo using the SAML protocol.

If you are looking for “Configuring external IdPs in Asgardeo Using OpenID Connect Protocol”, check out my previous article below.

In this article, I will use the abbreviation “IdP” for the term “Identity Provider”. As you may know, an Identity Provider is responsible for authenticating users and issuing identification information by using security tokens like SAML 2.0, OpenID Connect, OAuth 2.0, and WS-Trust.

To know more about identity providers, you can refer to the Asgardeo documentation about authentication.

To demonstrate the scenario I will be using deployed a Keycloak instance and sample React application with Asgardeo auth React SDK integration. You can find how to integrate Asgardeo React SDK into your existing React application from my previous article below.

If you are interested in trying out keycloak, you can try the free plan of keylock deployment from below.

Connect external IdP with Asgardeo Using SAML Protocol

With Asgardeo you can integrate different identity providers with the SAML protocol. This can be done in easy 3 steps.

  1. Configuring Asgardeo as a service provider in Keycloak
  2. Create a new connection in the Asgardeo console for Keycloak
  3. Configure our new connection with keycloak information

Optional: You can change the realm name as you want from the “Realm Settings

1. Configuring Asgardeo as a service provider in Keycloak

  • Click on “create” to configure Asgardeo as a service provider in keycloak.
  • Configure new client by entering Client ID with the following format and select “saml” from the dropdown as Client Protocol.
    Ignore Client SAML Endpoint for now.
Client ID: https://{host-name}/auth/realms/{realm-name}/saml-1
  • Click “Save”. After that, you will be redirected to a page like this.
  • Configure the below fields.

# switch OFF the Client Signature Required for now.

# Add “Valid Redirect URL” with the following format

https://api.asgardeo.io/t/{organization_name}/commonauth

# Expand the Fine Grain SAML Endpoint Configuration section and add the below values to the respective fields.

Assertion Consumer Service POST Binding URL :
https://api.asgardeo.io/t/{organization_name}/commonauth
Assertion Consumer Service Redirect Binding URL:
https://api.asgardeo.io/t/{organization_name}/commonauth
Logout Service POST Binding URL:
https://api.asgardeo.io/t/{organization_name}/commonauth
  • Click Save.
  • The configuration would be like below.

2. Create a new connection in the Asgardeo console for Keycloak

In this step, we will create a new connection in the Asgardeo console for keycloak. You can find more about configuring enterprise IdPs in the Asgardeo console from the following documentation.

  • Go to Develop -> Connections on Asgardeo Console and click on “New Connection”
  • Select “Standard-Based IdP
  • Enter a name for identity provider and select SAML as the protocol.
  • Click Next.

3. Configure our new connection with keycloak information

  • Enter Client ID value of the service provider(client) in Keycloak as the Service provider entity ID value.
Service provider entity ID:
https://{host-name}/auth/realms/{realm-name}/saml-1
  • Select Manual Configuration
Identity provider Single Sign-On URL:
https://{host}/auth/realms/{realm-name}/protocol/saml
Identity provider entity ID:
https://{host}/auth/realms/{realm-name}
  • Click Next.
  • Get the certificate from the keycloak realm settings. Make sure to get the correct certificate for the Use type SIG.
  • Enter the extracted certificate value. The format should be as follows.
-----BEGIN CERTIFICATE-----
<Certificate value extracted from the realm>
-----END CERTIFICATE-----
  • Click Finish. You will be redirected to our newly configured IDP configuration page.
  • Go to the Settings tab.
  • After scrolling down you will be able to find the configuration section related to Single Logout.
  • Change the configurations as below. and enter the IDP logout URL with the following format.
https://{host}/auth/realms/{realm}/protocol/saml/logout
  • Click Update from the bottom of the IDP configuration page.

Now we completed the steps on how to configure an external standard identity provider (in this case Keycloak) using the SAML protocol in Asgardeo.

Next, Let’s discuss how we can use this connection for login to an application.

Log in to an Application using External Identity Provider Connection

we can achieve this by following below two steps.

  1. Create a new user in Keycloak to log in to our sample application.
  2. Add our new keycloak connection to an existing application as a sign-in option.

1. Create a new user in Keycloak to log in to our sample application

  • To see all the existing users click on “View all users”.
  • we can add a new user by clicking on the “Add user” button. Enter relevant information to the fields like below.
  • Click Save.
  • Click on the “Credentials” tab and enter a new password and click “Set Password”. Change the value of the Temporary field from ON to OFF.

2. Add our new keycloak connection to an existing application as a sign-in option

As we have a new external IdP connection in Asgardeo, we can use it to log in to our applications as a new sign-in option. To demonstrate this I will use an existing SPA React application that I have already registered in the Asgardeo console.

You can find how we can integrate Asgardeo into existing React applications from my previous article below.

Also, you can find the sample react application source code I am using for this demonstration below.

  • To add a new Sign-In option to an application, click on the Sign-In Method tab of your application on the Asgardeo console.
  • Click “Add Authentication
  • Select the connection and click Add.
  • Finally, click Update.

Let’s try to login into our application.

As you can see now we have our new sign-in method with Keycloak IdP we have configured. Let’s log in to our application using this option with the user’s credentials we have created on keycloak earlier.

Bravo! Login is successful.

Try to log out from the application by clicking the LOGOUT button at the bottom of the page and it will be also successful.

So, hope you got some idea about how to configure external enterprise identity providers using the SAML protocol.

Thank you for reading this article.

--

--

--

Identity and access management is taking over and is a key enabler to build agile businesses. Open source IAM specifically is becoming a game changer. Learn from IAM experts at WSO2 as to why IAM is all the rage and how it can help empower your enterprise.

Recommended from Medium

CS371p Spring 2021: Luca Chaves Rodrigues Noronha dos Santos

Business Intelligence Starter Pack

ArrayBuffer

Db2 The Performant Database

On pacing and programming pedagogy

My First Tech Conference Post-Bootcamp

DevOps for Beginners

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dimuthu Kasun

Dimuthu Kasun

Software Engineer @ WSO2 | https://dimuthukasunwp.github.io/Articles/

More from Medium

Redis Replication 同步如何執行?

Keycloak 17 & FileMaker: Installation & Configuration Tutorial Part 4: Starting Keycloak 17 & Next…

Account Recovery configurations in WSO2 Identity Server

Infrastructure Design with Data: A New Watcher!