Release candidate
...
Administration
SSO settings

Configuring SSO with Keycloak

15min

Before configuring SSO, make sure that in config.env the APP_URL parameter matches the current Passwork domain, example — APP_URL=https://passwork.example.com

This is needed so that IDP can download the metadata. Also, the Passwork server must be running the HTTPS protocol.

The following server names are used for the example:

  • Provider (IDP) — keycloack.passwork.local
  • Passwork Server (SP) — passwork.example.com

Creating an application by importing a file into Keycloack

Get and edit a file to create an IDP-side application.

json


Open the Keycloack web interface and go to — ClientsImport client:

Document image


Perform the following actions:

  • Import the modified application file;
  • Set the name of the application to be created;
  • Disable — Encrypt assertions;
  • Disable — Client signature required.

Save the changes made:

Document image


If necessary, you can change the unique user identifier (NameID) inside the SAML-assertion after saving the previous actions:

Document image


It is recommended to specify username or email, depending on the selected value the user login in Passwork can have the following formats:

Customizing User Role Transfer in SAML-assertion

Navigate to and create a common set of settings for the application (SP) — Client scopesCreate client scope:

Document image


Perform the following steps:

  • Set Name;
  • Type — Default;
  • Protocol — SAML.
Document image


Open the Mappers tab and create an attribute statement to transfer additional user attributes from Keycloak (IDP) to Passwork (SP):

  • Adding an assertion for email transmission:
    • Add predefined mapperX500 email;
    • Open the added statement from the template and modify:
      • SAML Attribute Name — email;
      • SAML Attribute NameFormat — Basic.
  • Adding an assertion to pass firstName:
    • Add mapperFrom predefined mappersX500 surname;
    • Open the added statement from the template and modify:
      • Property — firstName;
      • SAML Attribute Name — firstName;
      • SAML Attribute NameFormat — Basic.
Document image


Assign the created scopes set (Client scope) to the created application (SP) — ClientsPasswork → go to the Client scopes tab → Add client scope:

Document image


Select from the list the created passwork_client_scope set with Assigned type — Default:

Document image


Configuring and populating single sign-on (SSO) settings in Passwork

Filling in values "User attributes"

Authenticate in the Passwork web interface, go to — Settings and UsersSSO Settings and fill in the mapping attributes:

  • Attribute for email — email;
  • Attribute for full name — firstName;

Filling in values "Identity Provider → Passwork"

Open the service provider (IDP) configuration — Realm settingsGeneralEndpoints:

Document image


Copy the following parameter values:

xml


Open — Settings and UsersSSO Settings and fill in the values:

  • Identifier (Entity ID) — https://keycloack.passwork.local/realms/master
  • Reply URL — https://keycloack.passwork.local/realms/master/protocol/saml
  • Logout URL — https://keycloack.passwork.local/realms/master/protocol/saml

Filling in value "Certificate"

Open and copy the generated SSL certificate in base64 format — Realm settingsKeysCertificate:

Document image


Place the copied SSL certificate in the appropriate field — Settings and usersSSO settings.

Open the authentication window in the Passwork web interface and log in via SSO to verify the correct configuration:

Document image


Errors and their descriptions

In case of errors, they will be recorded in the PHP log

The response from SSO cannot be correctly decrypted because the certificate fingerprint has been copied incorrectly or is the fingerprint of an incorrect certificate.

Bash


The current host value in the config.env parameter APP_URL is specified incorrectly.

Bash


The user lacks the attribute required for authentication.

Bash