Configuring SSO with Keycloak

16min

before configuring sso, make sure that in config env the app url parameter matches the current passwork domain, example — app url=https //passwork example com this is needed so that idp can download the metadata also, the passwork server must be running the https protocol the following server names are used for the example provider (idp) — keycloack passwork local passwork server (sp) — passwork example com creating an application by importing a file into keycloack get and edit a file to create an idp side application https //archbee doc uploads s3 amazonaws com/w jxazppyuprqlll6w3gi p8dupj3g05u1ng3e6ojgj 20250218 112103 json json "clientid" "https //your host/api/v1/sso/metadata", "adminurl" "https //your host/api/v1/sso/acs", "baseurl" "https //your host/ ", "saml logout url" "https //your host/api/v1/sso/sls" open the keycloack web interface and go to — clients → import client perform the following actions import the modified application file; set the name of the application to be created; disable — encrypt assertions ; disable — client signature required save the changes made if necessary, you can change the unique user identifier (nameid) inside the saml assertion after saving the previous actions it is recommended to specify username or email , depending on the selected value the user login in passwork can have the following formats username username\@passwork local customizing user role transfer in saml assertion navigate to and create a common set of settings for the application (sp) — client scopes → create client scope perform the following steps set name; type — default ; protocol — saml open the mappers tab and create an attribute statement to transfer additional user attributes from keycloak (idp) to passwork (sp) adding an assertion for email transmission add predefined mapper → x500 email ; open the added statement from the template and modify saml attribute name — email ; saml attribute nameformat — basic adding an assertion to pass firstname add mapper → from predefined mappers → x500 surname ; open the added statement from the template and modify property — firstname ; saml attribute name — firstname ; saml attribute nameformat — basic assign the created scopes set (client scope) to the created application (sp) — clients → passwork → go to the client scopes tab → add client scope select from the list the created passwork client scope set with assigned type — default configuring and populating single sign on (sso) settings in passwork filling in values user attributes authenticate in the passwork web interface, go to — settings and users → sso settings and fill in the mapping attributes attribute for email — email ; attribute for full name — firstname ; filling in values identity provider → passwork open the service provider (idp) configuration — realm settings → general → endpoints copy the following parameter values xml entityid="https //keycloack passwork local/realms/master" \<md\ singlelogoutservice location="https //keycloack passwork local/realms/master/protocol/saml"/> \<md\ singlesignonservice location="https //keycloack passwork local/realms/master/protocol/saml"/> example xml output open — settings and users → sso settings and fill in the values identifier (entity id) — https //keycloack passwork local/realms/master reply url — https //keycloack passwork local/realms/master/protocol/saml logout url — https //keycloack passwork local/realms/master/protocol/saml filling in value certificate open and copy the generated ssl certificate in base64 format — realm settings → keys → certificate place the copied ssl certificate in the appropriate field — settings and users → sso settings open the authentication window in the passwork web interface and log in via sso to verify the correct configuration errors and their descriptions in case of errors, they will be recorded in the php log the response from sso cannot be correctly decrypted because the certificate fingerprint has been copied incorrectly or is the fingerprint of an incorrect certificate onelogin saml2 error invalid response lasterrorreason signature validation failed saml response rejected in /var/www/app/modules/admin/sso/ssocontroller php 78\nstack trace \n#0 \[internal function] passwork\\\modules\\\admin\\\sso\\\ssocontroller >acsaction()\n#1 \[internal function] phalcon\\\dispatcher\\\abstractdispatcher >callactionmethod()\n#2 \[internal function]\ phalcon\\\dispatcher\\\abstractdispatcher >dispatch()\n#3 /var/www/public/index php(91) phalcon\\\mvc\\\application >handle()\n#4 {main} the current host value in the config env parameter app url is specified incorrectly onelogin saml2 error invalid array settings sp acs url invalid, sp sls url invalid in /var/www/app/vendors/php saml/lib/saml2/settings php 122\nstack trace \n#0 /var/www/app/vendors/php saml/lib/saml2/auth php(152) onelogin saml2 settings > construct()\n#1 /var/www/app/modules/admin/sso/ssoservice php(53) onelogin saml2 auth > construct()\n#2 /var/www/app/modules/admin/sso/ssocontroller php(33) passwork\\\modules\\\admin\\\sso\\\ssoservice >getauth()\n#3 \[internal function] passwork\\\modules\\\admin\\\sso\\\ssocontroller >loginaction()\n#4 \[internal function] phalcon\\\dispatcher\\\abstractdispatcher >callactionmethod()\n#5 \[internal function] phalcon\\\dispatcher\\\abstractdispatcher >dispatch()\n#6 /var/www/public/index php(91) phalcon\\\mvc\\\application >handle()\n#7 {main}, referer the user lacks the attribute required for authentication onelogin saml2 error invalid response lasterrorreason the status code of the response was not success,was responder > urn\ oasis\ names\ tc\ saml 2 0\ status\ invalidnameidpolicy in /var/www/app/modules/admin/sso/ssocontroller php 78\nstack trace \n#0 \[internal function]\ passwork\\\modules\\\admin\\\sso\\\ssocontroller >acsaction()\n#1 \[internal function] phalcon\\\dispatcher\\\abstractdispatcher >callactionmethod()\n#2 \[internal function]\ phalcon\\\dispatcher\\\abstractdispatcher >dispatch()\n#3 /var/www/public/index php(91) phalcon\\\mvc\\\application >handle()\n#4 {main}