Integrate SAS PCE as an Authentication Server with a SAML Service Provider Application
Integrating SAS PCE as an authentication server with a SAML service provider (SP) application is a three-step process:
Identity Provider (Keycloak) Setup
Perform the following steps to configure the IdP (for example, Keycloak):
-
Log into Keycloak as an administrator.
-
On the administrator console, select your realm (for example, SASPCE).
-
In the left pane, under Configure, click Clients, and in the right pane, click Create.
-
Under Add Client, you need to configure a client in Keycloak either using the metadata configuration or manual configuration.
Metadata Configuration
Download the metadata file (.xml) from the SAML SP and perform the following steps to create a client in Keycloak:
-
In the Import field, click Select file to search and select the SP metadata file, and click Save.
The client is created. Under Application, on the Settings tab, the metadata information is displayed.
-
Click Save to complete the configuration.
Manual Configuration
Under Add Client, perform the following steps to create a client in Keycloak using the manual configuration:
-
In the Client ID field, enter the ENTITY ID/ISSUER ID. It is used to identify the application.
-
In the Client Protocol field, select saml.
-
Click Save. The client is created.
-
On the Settings tab, perform the following steps:
-
In the Name ID Format field, select a value as per your preferred configuration.
-
In the Valid Redirect URIs field, enter the Assertion Consumer Service URL of the application (for example, https://abc.com/).
Users will be redirected to this URL after successful authorization. This field allows for the inclusion of multiple URLs. You need to click + to add an additional URI.
-
Under Fine Grain SAML Endpoint Configuration, in either Assertion Consumer Service POST Binding URL field or Assertion Consumer Service Redirect Binding URL field, enter the Assertion Consumer Service (ACS) URL of the application (for example, https://abc.com/) as per the requirement.
The ACS URL of the application will be used in both Valid Redirect URI & Assertion Consumer Service URL fields.
-
-
Click Save to complete the configuration.
You can enter or modify the values of rest of the fields as per your service provider application requirement.
-
SAML Service Provider Application Configuration
Perform the following steps to configure a SAML SP application:
-
Obtain the Keycloak metadata by performing the following steps:
-
On the administrator console, under Configure, click Realm Settings.
-
In the right pane, on the General tab, in the Endpoints field, select SAML2.0 Identity Provider Metadata.
You will be redirected to the Keycloak metadata page.
-
Save the metadata as a .xml file.
-
-
Configure IdP in your SP application using the information given in the Keycloak metadata.
Verify Authentication
Service Provider Initiated Login
Navigate to the Service Provider URL. You will be redirected to SAS PCE for authentication as per your selected flow.
Enter your login credentials and you should be logged into the application after successful authentication.
For more information on the SafeNet authentication flows, go to SafeNet Authentication Flows provided by SafeNet Keycloak Agent.
Enabling Single Sign-On for Applications
Perform the following steps to enable Single Sign On (SSO) for your applications:
- On the Keycloak administrator console, in the left pane, under Configure, click Authentication.
-
In the right pane, under Authentication, select a SafeNet flow of your choice (for example, SafeNet OTP Flow), and replicate the configuration as displayed in the below screenshot.
-
Now, try to access multiple applications in the same browser, the SSO should work seemlessly.
