Keycloak SAML Identity Provider
This document outlines the process for configuring Willba's SAML identity provider using Google Workspace.
The process expect to have SAML config file created from the identity provider as Google Workspace.
See instructions if you don't have yet completed this step.
Steps
- Login as realm-admin into Keycloak console
- Open Identity Providers from main menu
- Add new provider with option SAML
- Set
Aliaswith unique name if you have multiple identity providers in one environment - Set
Display namewith descriptive name. It will be shown in the Willba login screen main button. If you have multiple identity providers in one environment, users can select the correct one by this name. - Set
Display orderto1. If multiple providers, set2for the second and so on. Willba Support team Admin login is reserved withDisplay order100. - Switch Use entity descriptor OFF
- Import config from file created earlier
- Specify settings
- Save
- Specify mappers
- Verify connection works
Settings
| Setting | Value | Description |
|---|---|---|
| NameID policy format | ||
| Principal type | Subject NameID | |
| Allow create | On | Important, let SAML create Willba users on first login |
| HTTP-POST binding response | On | |
| HTTP-POST binding for AuthnRequest | On | |
| HTTP-POST binding for AuthnRequest | On | |
| Comparison | exact | |
| Trust Email | On | Do not require email verification |
| First login flow | first broker login | |
| Post login flow | None | |
| Sync mode | Force | Important setting to force sync user properties at every login |
Mappers
Specify firstName, lastName and user group mappers. These mappers import values from Identity Provider into Willba. This documentation includes fundamental mappers, it is possible to add more mappers if needed and available.
First Name
Create new mapper for first name with following details
- ID:
firstName - Name:
firstName - Sync mode override:
Inherit - Mapper type:
Attribute Importer - Attribute Name:
firstName - Friendly Name:
- Name Format:
ATTRIBUTE_FORMAT_BASIC - User Attribute Name:
firstName
Last Name
Create new mapper for last name with following details
- ID:
lastName - Name:
lastName - Sync mode override:
Inherit - Mapper type:
Attribute Importer - Attribute Name:
lastName - Friendly Name:
- Name Format:
ATTRIBUTE_FORMAT_BASIC - User Attribute Name:
lastName
User Group Mappers
Create own mapper for each user group you want to import into Willba from Identity Provider.
- ID:
{groupName}, for exampleHousekeeping - Name:
User Group {groupName}, for exampleUser Group Housekeeping - Sync mode override:
Force - Mapper type:
Advanced Attribute to Group - Attributes:
- Key:
groups, this is the same name as in customer's SAML mapper - Value:
{group-exact-name-in-source-identity-provider}
- Key:
- Regex Attribute Values:
Off - Group: Select correct Willba group name