Skip to main content

Keycloak SAML Identity Provider

This document outlines the process for configuring Willba's SAML identity provider using Google Workspace.

The process expect to have SAML config file created from the identity provider as Google Workspace.

See instructions if you don't have yet completed this step.

Steps

  1. Login as realm-admin into Keycloak console
  2. Open Identity Providers from main menu
  3. Add new provider with option SAML
  4. Set Alias with unique name if you have multiple identity providers in one environment
  5. Set Display name with descriptive name. It will be shown in the Willba login screen main button. If you have multiple identity providers in one environment, users can select the correct one by this name.
  6. Set Display order to 1. If multiple providers, set 2 for the second and so on. Willba Support team Admin login is reserved with Display order 100.
  7. Switch Use entity descriptor OFF
  8. Import config from file created earlier
  9. Specify settings
  10. Save
  11. Specify mappers
  12. Verify connection works

Settings

SettingValueDescription
NameID policy formatEmail
Principal typeSubject NameID
Allow createOnImportant, let SAML create Willba users on first login
HTTP-POST binding responseOn
HTTP-POST binding for AuthnRequestOn
HTTP-POST binding for AuthnRequestOn
Comparisonexact
Trust EmailOnDo not require email verification
First login flowfirst broker login
Post login flowNone
Sync modeForceImportant setting to force sync user properties at every login

Mappers

Specify firstName, lastName and user group mappers. These mappers import values from Identity Provider into Willba. This documentation includes fundamental mappers, it is possible to add more mappers if needed and available.

First Name

Create new mapper for first name with following details

  • ID: firstName
  • Name: firstName
  • Sync mode override: Inherit
  • Mapper type: Attribute Importer
  • Attribute Name: firstName
  • Friendly Name:
  • Name Format: ATTRIBUTE_FORMAT_BASIC
  • User Attribute Name: firstName

Last Name

Create new mapper for last name with following details

  • ID: lastName
  • Name: lastName
  • Sync mode override: Inherit
  • Mapper type: Attribute Importer
  • Attribute Name: lastName
  • Friendly Name:
  • Name Format: ATTRIBUTE_FORMAT_BASIC
  • User Attribute Name: lastName

User Group Mappers

Create own mapper for each user group you want to import into Willba from Identity Provider.

  • ID: {groupName}, for example Housekeeping
  • Name: User Group {groupName}, for example User Group Housekeeping
  • Sync mode override: Force
  • Mapper type: Advanced Attribute to Group
  • Attributes:
    • Key: groups, this is the same name as in customer's SAML mapper
    • Value: {group-exact-name-in-source-identity-provider}
  • Regex Attribute Values: Off
  • Group: Select correct Willba group name