Using keycloak oidc with saml
TypeScriptTo integrate Keycloak with OpenID Connect (OIDC) and SAML, you'll need to set up Keycloak as an OIDC Identity Provider and configure a SAML client. By doing this, you allow users to authenticate with OIDC-supported applications and provide SSO capabilities for services that support SAML.
Below, I'll guide you through the process of creating an OIDC Identity Provider and a SAML client in Keycloak using Pulumi and TypeScript. We'll use the
keycloak
andokta
provider packages from Pulumi as they offer the necessary resources to configure these services.First, we'll create an OIDC Identity Provider. This will enable Keycloak to authenticate users using the OIDC protocol. We'll then create a SAML client, which allows applications to use Keycloak for authentication via the SAML 2.0 protocol.
Here's the Pulumi program that defines these resources:
import * as keycloak from "@pulumi/keycloak"; const keycloakProvider = new keycloak.Provider("keycloak-provider", { // Use your Keycloak instance URL and credentials here. // Make sure your Pulumi stack is properly configured with these values. clientId: "admin-cli", clientSecret: "YOUR_KEYCLOAK_CLIENT_SECRET", url: "YOUR_KEYCLOAK_URL", }); const realmId = "your-realm"; // Replace with your Keycloak realm name // OIDC Identity Provider settings const oidcIdentityProvider = new keycloak.oidc.IdentityProvider("oidc-idp", { alias: "oidc-provider", realm: realmId, clientId: "YOUR_OIDC_CLIENT_ID", clientSecret: { sensitive: "YOUR_OIDC_CLIENT_SECRET", }, authorizationUrl: "YOUR_OIDC_AUTHORIZATION_ENDPOINT", tokenUrl: "YOUR_OIDC_TOKEN_ENDPOINT", userInfoUrl: "YOUR_OIDC_USERINFO_ENDPOINT", enabled: true, }, { provider: keycloakProvider }); // SAML Client settings const samlClient = new keycloak.saml.Client("saml-client", { realmId: realmId, clientId: "YOUR_SAML_CLIENT_ID", clientSignatureRequired: true, enabled: true, nameIdFormat: "username", signingCertificate: "YOUR_SAML_SIGNING_CERTIFICATE", signingPrivateKey: "YOUR_SAML_SIGNING_PRIVATE_KEY", includeAuthnStatement: true, // Adjust the following endpoints to match your SAML endpoints. masterSamlProcessingUrl: "YOUR_SAML_PROCESSING_URL", assertionConsumerPostUrl: "YOUR_SAML_ASSERTION_CONSUMER_POST_URL", assertionConsumerRedirectUrl: "YOUR_SAML_ASSERTION_CONSUMER_REDIRECT_URL", logoutServicePostBindingUrl: "YOUR_SAML_LOGOUT_SERVICE_POST_BINDING_URL", logoutServiceRedirectBindingUrl: "YOUR_SAML_LOGOUT_SERVICE_REDIRECT_BINDING_URL", }, { provider: keycloakProvider }); export const keycloakUrl = keycloakProvider.url; export const oidcProviderAlias = oidcIdentityProvider.alias; export const samlClientId = samlClient.clientId;
In this code:
- We first import the
@pulumi/keycloak
package, which is the Pulumi Keycloak provider allowing us to create Keycloak resources programmatically. - The
keycloak.Provider
resource is configured with details of your Keycloak server. Replace the placeholders (YOUR_KEYCLOAK_URL
andYOUR_KEYCLOAK_CLIENT_SECRET
) with your actual server URL and client secret. - The OIDC Identity Provider (
keycloak.oidc.IdentityProvider
) is configured using the relevant OIDC URLs and client credentials. Replace the placeholders with the details from your OIDC provider. - The SAML Client (
keycloak.saml.Client
) is set up with details about your SAML application, including the client ID and URLs related to SAML processing, assertion consumption, and logout service. - We've enabled the OIDC Identity Provider and the SAML Client by setting the
enabled
property totrue
. - Replace the placeholder values such as
YOUR_OIDC_CLIENT_ID
,YOUR_SAML_CLIENT_ID
, and URLs with the actual values associated with your OIDC provider and SAML application. - The
export
statements at the end of our program make it possible to access the URL of the Keycloak instance, OIDC provider alias, and SAML client ID after the deployment.
Deploying this code with Pulumi will create an OIDC Identity Provider and a SAML Client in the specified realm within your Keycloak instance. Adjust all the placeholder values to match your specific environment before executing the program with Pulumi.
- We first import the