Configuring SSO with Keycloak

15min
Before configuring SSO, make sure that in config.env the APP_URL parameter matches the current Passwork domain, example — APP_URL=https://passwork.example.com
This is needed so that IDP can download the metadata. Also, the Passwork server must be running the HTTPS protocol.
The following server names are used for the example:
Provider (IDP) — keycloack.passwork.local
Passwork Server (SP) — passwork.example.com
Creating an application by importing a file into Keycloack
Get and edit a file to create an IDP-side application.
keycloack.json
﻿
json
"clientId": "https://your_host/api/v1/sso/metadata",
"adminUrl": "https://your_host/api/v1/sso/acs",
"baseUrl": "https://your_host/*",
"saml.logout.url": "https://your_host/api/v1/sso/sls"
"clientId": "https://your_host/api/v1/sso/metadata",
"adminUrl": "https://your_host/api/v1/sso/acs",
"baseUrl": "https://your_host/*",
"saml.logout.url": "https://your_host/api/v1/sso/sls"
﻿
Open the Keycloack web interface and go to — Clients → Import client:
﻿
Perform the following actions:
Import the modified application file;
Set the name of the application to be created;
Disable — Encrypt assertions;
Disable — Client signature required.
Save the changes made:
﻿
If necessary, you can change the unique user identifier (NameID) inside the SAML-assertion after saving the previous actions:
﻿
It is recommended to specify username or email, depending on the selected value the user login in Passwork can have the following formats:
username
[email protected]
Customizing User Role Transfer in SAML-assertion
Navigate to and create a common set of settings for the application (SP) — Client scopes → Create client scope:
﻿
Perform the following steps:
Set Name;
Type — Default;
Protocol — SAML.

﻿
Open the Mappers tab and create an attribute statement to transfer additional user attributes from Keycloak (IDP) to Passwork (SP):
Adding an assertion for email transmission:
Add predefined mapper → X500 email;
Open the added statement from the template and modify:
SAML Attribute Name — email;
SAML Attribute NameFormat — Basic.
Adding an assertion to pass firstName:
Add mapper → From predefined mappers → X500 surname;
Open the added statement from the template and modify:
Property — firstName;
SAML Attribute Name — firstName;
SAML Attribute NameFormat — Basic.
﻿
Assign the created scopes set (Client scope) to the created application (SP) — Clients → Passwork → go to the Client scopes tab → Add client scope:
﻿
Select from the list the created passwork_client_scope set with Assigned type — Default:
﻿
Configuring and populating single sign-on (SSO) settings in Passwork
Filling in values "User attributes"
Authenticate in the Passwork web interface, go to — Settings and Users → SSO Settings and fill in the mapping attributes:
Attribute for email — email;
Attribute for full name — firstName;
Filling in values "Identity Provider → Passwork"
Open the service provider (IDP) configuration — Realm settings → General → Endpoints:
﻿
Copy the following parameter values:
xml
entityID="https://keycloack.passwork.local/realms/master"
<md:SingleLogoutService Location="https://keycloack.passwork.local/realms/master/protocol/saml"/>
<md:SingleSignOnService Location="https://keycloack.passwork.local/realms/master/protocol/saml"/>
entityID="https://keycloack.passwork.local/realms/master"
<md:SingleLogoutService Location="https://keycloack.passwork.local/realms/master/protocol/saml"/>
<md:SingleSignOnService Location="https://keycloack.passwork.local/realms/master/protocol/saml"/>
﻿
﻿
Open — Settings and Users → SSO Settings and fill in the values:
Identifier (Entity ID) — https://keycloack.passwork.local/realms/master
Reply URL — https://keycloack.passwork.local/realms/master/protocol/saml
Logout URL — https://keycloack.passwork.local/realms/master/protocol/saml
Filling in value "Certificate"
Open and copy the generated SSL certificate in base64 format — Realm settings → Keys → Certificate:
﻿
Place the copied SSL certificate in the appropriate field — Settings and users → SSO settings.
Open the authentication window in the Passwork web interface and log in via SSO to verify the correct configuration:
﻿
Errors and their descriptions
In case of errors, they will be recorded in the PHP log
The response from SSO cannot be correctly decrypted because the certificate fingerprint has been copied incorrectly or is the fingerprint of an incorrect certificate.
Bash
OneLogin_Saml2_Error: invalid_response LastErrorReason: Signature validation failed. SAML Response rejected in /var/www/app/modules/Admin/SSO/SsoController.php:78\nStack trace:\n#0 [internal function]: Passwork\\Modules\\Admin\\SSO\\SsoController->acsAction()\n#1 [internal function]: Phalcon\\Dispatcher\\AbstractDispatcher->callActionMethod()\n#2 [internal function]:Phalcon\\Dispatcher\\AbstractDispatcher->dispatch()\n#3 /var/www/public/index.php(91): Phalcon\\Mvc\\Application->handle()\n#4 {main}
OneLogin_Saml2_Error: invalid_response LastErrorReason: Signature validation failed. SAML Response rejected in /var/www/app/modules/Admin/SSO/SsoController.php:78\nStack trace:\n#0 [internal function]: Passwork\\Modules\\Admin\\SSO\\SsoController->acsAction()\n#1 [internal function]: Phalcon\\Dispatcher\\AbstractDispatcher->callActionMethod()\n#2 [internal function]:Phalcon\\Dispatcher\\AbstractDispatcher->dispatch()\n#3 /var/www/public/index.php(91): Phalcon\\Mvc\\Application->handle()\n#4 {main}
﻿
The current host value in the config.env parameter APP_URL is specified incorrectly.
Bash
OneLogin_Saml2_Error: Invalid array settings: sp_acs_url_invalid, sp_sls_url_invalid in /var/www/app/vendors/php-saml/lib/Saml2/Settings.php:122\nStack trace:\n#0 /var/www/app/vendors/php-saml/lib/Saml2/Auth.php(152): OneLogin_Saml2_Settings->__construct()\n#1 /var/www/app/modules/Admin/SSO/SsoService.php(53): OneLogin_Saml2_Auth->__construct()\n#2 /var/www/app/modules/Admin/SSO/SsoController.php(33): Passwork\\Modules\\Admin\\SSO\\SsoService->getAuth()\n#3 [internal function]: Passwork\\Modules\\Admin\\SSO\\SsoController->loginAction()\n#4 [internal function]: Phalcon\\Dispatcher\\AbstractDispatcher->callActionMethod()\n#5 [internal function]: Phalcon\\Dispatcher\\AbstractDispatcher->dispatch()\n#6 /var/www/public/index.php(91): Phalcon\\Mvc\\Application->handle()\n#7 {main}, referer: 
OneLogin_Saml2_Error: Invalid array settings: sp_acs_url_invalid, sp_sls_url_invalid in /var/www/app/vendors/php-saml/lib/Saml2/Settings.php:122\nStack trace:\n#0 /var/www/app/vendors/php-saml/lib/Saml2/Auth.php(152): OneLogin_Saml2_Settings->__construct()\n#1 /var/www/app/modules/Admin/SSO/SsoService.php(53): OneLogin_Saml2_Auth->__construct()\n#2 /var/www/app/modules/Admin/SSO/SsoController.php(33): Passwork\\Modules\\Admin\\SSO\\SsoService->getAuth()\n#3 [internal function]: Passwork\\Modules\\Admin\\SSO\\SsoController->loginAction()\n#4 [internal function]: Phalcon\\Dispatcher\\AbstractDispatcher->callActionMethod()\n#5 [internal function]: Phalcon\\Dispatcher\\AbstractDispatcher->dispatch()\n#6 /var/www/public/index.php(91): Phalcon\\Mvc\\Application->handle()\n#7 {main}, referer: 
﻿
The user lacks the attribute required for authentication.
Bash
OneLogin_Saml2_Error: invalid_response LastErrorReason: The status code of the Response was not Success,was Responder -> urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy in /var/www/app/modules/Admin/SSO/SsoController.php:78\nStack trace:\n#0 [internal function]:Passwork\\Modules\\Admin\\SSO\\SsoController->acsAction()\n#1 [internal function]: Phalcon\\Dispatcher\\AbstractDispatcher->callActionMethod()\n#2 [internal function]:Phalcon\\Dispatcher\\AbstractDispatcher->dispatch()\n#3 /var/www/public/index.php(91): Phalcon\\Mvc\\Application->handle()\n#4 {main}
OneLogin_Saml2_Error: invalid_response LastErrorReason: The status code of the Response was not Success,was Responder -> urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy in /var/www/app/modules/Admin/SSO/SsoController.php:78\nStack trace:\n#0 [internal function]:Passwork\\Modules\\Admin\\SSO\\SsoController->acsAction()\n#1 [internal function]: Phalcon\\Dispatcher\\AbstractDispatcher->callActionMethod()\n#2 [internal function]:Phalcon\\Dispatcher\\AbstractDispatcher->dispatch()\n#3 /var/www/public/index.php(91): Phalcon\\Mvc\\Application->handle()\n#4 {main}
﻿
﻿
Updated 28 Feb 2025
Did this page help you?
SSO settings
Configuring SSO with AD FS