Navigation

    uNoGS Forum
    • Register
    • Login
    • Search
    • Categories
    • Search
    • unogs
    ad

    Jumpcloud SSO (idp) to Keycloak (sp)

    Blogs
    1
    2
    144
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • admin
      admin last edited by admin

      Jumpcloud SAML SSO to Keycloak

      So I recently had the challenge of setting up SAML authentication from Jumpcloud to an existing application that uses Keycloak (v18.x) as its authentication provider. As Keycloak can also be used as an identity provider the configuration can be a bit confusing.

      Keep in mind this quick tutorial assumes that you already have an existing Keycloak client which you are using to authenticate your service. Details of building a client are outside the scope of these instructions.

      So lets get into it...

      Variables and Standards

      The first thing we need to do is decide on some common variables and standards for this tutorial. Moving forward when referencing user defined variable we will wrap them in moustaches e.g. {{var_here}}

      • iDpID: idp-jumpcloud-saml (ID Provider ID)
      • BaseURL: keycloak.example.com (base url of your Keycloak instance)
      • RealmName: myrealm (Keycloak realm name)
      • RealmClient: myclient
      • SPID: sp-jumpcloud-saml (Service Provider ID)
      • AppID: mysaml (Display label of your Jumpcloud App)
      • SPAppUrl: https://unogs.com

      Configure Jumpcloud

      • Login to the Jumpcloud admin interface
      • Click on SSO
      • Click the large green + button
      • Click Custom SAML App (bottom of page)
      • Fill out your display label with {{JDSID}}
      • Fill in a description if you want
      • Click on the SSO Tab
      • fill in IdP Entity ID with {{iDpID}}
      • fill in SP Entity ID with {{SPID}}
      • fill in ACS URL: https://{{BaseURL}}/realms/{{RealmName}}/broker/{{iDpID}}/endpoint
      • select SAMLSubjectNameID: as username

      Screenshot 2022-11-25 at 15.39.51.png

      • select Signature Algorithm as RSA-SHA256
      • fil in Login URL as https://{{BaseURL}}/realms/{{RealmName}}/protocol/openid-connect/auth?response_type=code&client_id={{RealmClient}}&scope=openid&redirect_uri={{SPAppURL}}&kc_idp_hint={{SPID}}
        • note: if you want to see your previous keycloak login screen remove: kc_idp_hint
      • tick Sign Assertion
      • fill in IDP URL with {{APPID}}
      • Add the following User Attributes:
        • value email select email
        • value firstname select firstname
        • value lastname select lastname
      • e.g.

      Screenshot 2022-11-25 at 15.43.22.png

      • click activate
      • click on your newly created APP
      • click on the User Groups tab and select the group you want to give the above app access to.
      • click on the SSO tab
      • click Export Metadata, an xml called JumpCloud-saml.xml file will be saved locally

      Configure Keycloak

      Via the admin portal:

      • click Identity Providers
      • select Add Provider and select SAML v2.0
      • change Alias to {{iDpID}}
      • e.g.

      Screenshot 2022-11-25 at 14.39.35.png

      • change Service Provider Entity ID to {{SPID}}
      • scroll to bottom of the page, select Select File and choose JumpCloud-saml.xml
      • click Import
      • click Save
      • e.g.

      Screenshot 2022-11-25 at 15.33.46.png

      • go back into newly created provider and click the Mappers tab
      • do the following for email, firstname and lastname
        • click create
        • give it a name
        • change Mapper type to attribute importer
        • fill in Attribute Name to type (email, firstname, lastname)
        • fill in Friendly Name to type (email, firstname, lastname)
        • select ATTRIBUTE_FORMAT_UNSPECIFIED
        • fill in User Attribute Name kctype (email,firstName,lastName)

      Screenshot 2022-11-25 at 14.41.00.png

      Wrap UP

      If everything went as planned, the above configuration should allow your users to click on a new app in their jumpcloud console and it will automatically login via your existing client. For new users this configuration should also automatically populate user details in the JWT.

      If you have any questions or anything doesn't work as expected feel free to email me at admin@unogs.com

      admin 1 Reply Last reply Reply Quote 0
      • admin
        admin @admin last edited by admin

        Mapping Groups from Jumpcloud

        In the above post we set up Jumpcloud SAML SSO auth to use Keycloak as the SP.
        In addition, it is sometimes helpful to include your jumpcloud groups in the SAML token. The following instructions should help enable this.

        Configure Jumpcloud

        • start by configuring your group to use the SSO App you created for SAML

        Screenshot 2022-11-26 at 11.51.30.png

        • Now update your SAML app to include group information:
          • Go to your SSO App
          • click on the SSO Tab and scroll to the bottom
          • tick the box for Group Attributes
          • give it a name like memberOf (can be any name but you will need this for keycloak)
          • click save

        Screenshot 2022-11-26 at 12.00.33.png

        Configure Keycloak

        • Open Keycloak admin portal for your realm
        • Click on Roles and create a new role e.g. saml-group

        Screenshot 2022-11-26 at 12.04.42.png

        • Click on Identity Providers and select the provider you created earlier (see above blog post)
        • Click on the Mappers tab
        • Click Create
        • Give it a name e.g. saml-group
        • select Sync Mode Overrride equal to force (this updates the groups associated with this account on every login)
        • Create a new Attributes using the Jumpcloud Group Attributes identifier, in this case memberOf as the key and your Jumpcloud group name as the key
        • Set Regex Attribute Values to On
        • Under Role, choose the role you created

        Screenshot 2022-11-26 at 12.11.52.png

        1 Reply Last reply Reply Quote 1
        • First post
          Last post