Keycloak SAML Setup

Create a new SAML configuration in Kasm

  1. Log into the Kasm UI as an administrator.

  2. Select Access Management -> Authentication -> SAML -> Add Configuration

  3. The SAML 2.0 Configuration page will auto-generate the Entity ID, Single Sign On Service, Single Logout Server, and Relay State values.

  4. Check Enable and enter a Display Name. e.g (Keycloak)

  5. Enter the Hostname for the Workspaces deployment (e.g my.kasm.server).

  6. Check Default.

  7. Enter Role in Group Member Attribute.

  8. Enter username in NameID Attribute.

../../_images/kasm_saml_configuration.webp

Kasm SAML Configurations

  1. Check Debug. Disable this setting after testing is complete.

  2. Leave this page open and continue to the next steps.

Realm SAML Settings

  1. Navigate to the Keycloak Admin Portal. Select the desired Realm (e.g master) then select Realm Settings.

  2. Click on SAML 2.0 Identity Provider Metadata.

../../_images/realm_settings1.png

Realm Settings

  1. Copy the following items from the XML document to the Identity Provider section of the SAML configuration in Workspaces.

Keycloak Property

Kasm Property Name

entityID

Entity ID

ds:X509Certificate

X509 Certificate

md:SingleLogoutService..HTTP-POST

Single Logout Service/SLO Endpoint

md:SingleSignOnService..HTTP-POST

Single Sign On Service/SAML 2.0 Endpoint
../../_images/keycloak_xml.png

SAML XML

  1. In the Advanced Settings of the Workspaces SAML configuration, ensure Want Attribute Statement, Want Assertions Signed, and Want Name ID are enabled.

  2. In the Advanced Settings of the Workspaces SAML configuration, set Signature Algorithm to rsa-sha256.

  3. Click Save.

../../_images/kasm_idp_configs.webp

Identity Provider

  1. Select Edit next to the new Saml config as these settings will need to be referenced in th following sections.

Add a new client in Keycloak

  1. Navigate to the Keycloak Admin Portal. Select the desired Realm (e.g master) then select Clients.

../../_images/clients.png

Keycloak Portal

  1. In the Clients window select Create Client.

  2. In the Client type select SAML

  3. In the Client ID enter a short name (e.g kasm) - Note: we will modify this in the next section to work around a keycloak bug.

  4. Enter a value for the Name field (e.g Kasm Workspaces).

  5. Select Next.

../../_images/add_client1.png

Add Client

  1. Update the Home URL with the URL of the Workspaces deployment (e.g https://my.kasm.server).

  2. Update Valid Redirect URLs with a wildcard entry for the Workspaces deployment (e.g https://my.kasm.server/*

  3. Select Save.

../../_images/add_client2.png

Add Client

Client Configurations

Update the client details configuration

  1. In the Client Details page, select the Settings tab.

  2. In the Client ID field, enter the value found in the Entity ID from the Service Provider sections in the Workspaces SAML configuration form.

  3. In the Master SAML Processing URL enter the value found in the Single Sign On Service from the Service Provider sections in the Workspaces SAML configuration form.

  4. Ensure Name ID format is username.

  5. Ensure Force name ID format is set to On.

  6. Ensure Sign Assertions is set to On.

  7. Click Save

../../_images/client_configs.png

Client Settings

  1. Select the Keys tab.

  2. Set Client signature required to Off

../../_images/client_signature.png

Keys

  1. Select the Advanced Tab.

  2. In the Logout Service POST Binding URL enter the value found in the Single Logout Service from the Service Provider sections in the Workspaces SAML configuration form.

  3. Click Save

../../_images/client_advanced.png

Advanced

Adjust Single Role Attribute in Keycloak

  1. Navigate to the Keycloak Admin Portal. Select the desired Realm (e.g master) then select Client Scopes.

../../_images/client_scopes.png

Keycloak Portal

  1. Select role_list (saml).

  2. Select the Mappers tab.

  3. Select role list.

  4. Set Single Role Attribute to On, then click Save.

../../_images/role_list.png

Role List

Testing Access

  1. Log out of the Kasm UI if already logged in.

  2. Navigate to the Kasm UI login page.

../../_images/kasm_login3.webp

Kasm Login

  1. Click Keycloak to initiate the SAML SSO process.

../../_images/keycloak_login.png

Keycloak Login

Mapping Roles

During the SAML authentication process , Keycloak will send a list of the user’s roles. These can be mapped to Kasm Groups.

  1. Navigate to the Keycloak Admin Portal. Select the desired Realm (e.g master) then select Realm Roles.

../../_images/roles.png

Keycloak Portal

  1. Select Create Role.

  2. Name the role kasm_admins then click Save.

../../_images/create_role.png

Create Role

  1. Select Users from the Keycloak menu, then click the username for the desired user.

../../_images/user_selection.png

User Selection

  1. Select the Role Mappings tab, then select Assign role

  2. Select kasm_admins from the Available Roles then click Assign.

  3. Log into the Kasm UI as an administrator.

  4. Select Access Management -> Groups, then click Add Group.

  5. Name the Group Keycloak Kasm Admins and give it a priority (e.g 10).

  6. Save the new group by clicking Save.

../../_images/create_group.webp

Create Group

  1. On the Groups screen, using the arrow menu select Edit on the group that was just created.

  2. Navigate to the SSO Group Mappings tab and select Add SSO Mapping.

  3. Select the SAML IDP that was created above “SAML - Keycloak” for the SSO Provider.

  4. Enter kasm_admins as the Group Attributes then click Submit.

../../_images/create_sso_group_mapping.webp

Add SSO Group Mapping

  1. Log out of Kasm, and back in via SAML as the previously assigned user. The user should now be mapped to the Keycloak Kasm Admins a group.