diff --git a/src/assets/images/cloudflare-one/identity/keycloak/configure-client.png b/src/assets/images/cloudflare-one/identity/keycloak/configure-client.png deleted file mode 100644 index 5fcf736afb5..00000000000 Binary files a/src/assets/images/cloudflare-one/identity/keycloak/configure-client.png and /dev/null differ diff --git a/src/assets/images/cloudflare-one/identity/keycloak/protocol-mapper.png b/src/assets/images/cloudflare-one/identity/keycloak/protocol-mapper.png deleted file mode 100644 index c699cd13821..00000000000 Binary files a/src/assets/images/cloudflare-one/identity/keycloak/protocol-mapper.png and /dev/null differ diff --git a/src/content/docs/cloudflare-one/integrations/identity-providers/keycloak.mdx b/src/content/docs/cloudflare-one/integrations/identity-providers/keycloak.mdx index ec8e4eef7e7..9c34fc62f7e 100644 --- a/src/content/docs/cloudflare-one/integrations/identity-providers/keycloak.mdx +++ b/src/content/docs/cloudflare-one/integrations/identity-providers/keycloak.mdx @@ -10,15 +10,19 @@ tags: import { Render } from "~/components"; -Keycloak is an open source identity and access management solution built by JBoss. If you need a Keycloak lab environment for testing, refer to [this example](https://github.com/mw866/tunnel-keycloak). +Keycloak is an open source identity and access management solution built by JBoss. ## Set up Keycloak (SAML) To set up Keycloak (SAML) as your identity provider: -1. In Keycloak, select **Clients** in the navigation bar and create a new client. +1. In Keycloak, select the realm that you want Cloudflare Access to use. -2. Under **Client ID**, enter the following URL: +2. Go to **Clients** > **Create client**. + +3. For **Client type**, select **SAML**. + +4. Under **Client ID**, enter your Cloudflare Access callback URL: ```txt https://.cloudflareaccess.com/cdn-cgi/access/callback @@ -26,39 +30,53 @@ To set up Keycloak (SAML) as your identity provider: - ![SAML Client interface with team domain and callback in Client ID](~/assets/images/cloudflare-one/identity/keycloak/configure-client.png) +5. Select **Next**. + +6. Change **Name ID format** to **email**. + +7. In **Valid redirect URIs**, enter your Cloudflare Access callback URL: + + ```txt + https://.cloudflareaccess.com/cdn-cgi/access/callback + ``` -3. Change the `Name ID Format` to `email` +8. In **Master SAML Processing URL**, enter the SAML endpoint for your Keycloak realm: -4. Next, set the valid redirect URI to the Keycloak domain that you are using. For example, `https://.cloudflareaccess.com/cdn-cgi/access/callback`. + ```txt + https:///realms//protocol/saml + ``` -5. Set the Master SAML Processing URL using the same Keycloak domain: `https:///auth/realms/master/protocol/saml`. + Keycloak v17 and later use `/realms//protocol/saml` by default. Keycloak v16 and earlier may use `/auth/realms//protocol/saml` instead. -6. If you wish to enable client signatures, enable `Client Signature Required` and select **save**. +9. If you wish to enable client signatures, enable **Client Signature Required** and select **Save**. 1. You will need to [follow the steps here to get the certificate and enable it in the Cloudflare dashboard](/cloudflare-one/integrations/identity-providers/signed_authn/). - 2. Import the Access certificate you downloaded into the `SAML Keys` tab. Use `Certificate PEM` as the format. + 2. Import the Access certificate you downloaded into the **Keys** tab. Use **Certificate PEM** as the format. -7. Set the built-in protocol mapper for the `email` property. +10. Configure a protocol mapper for the user's email address. - ![Protocol Mapper with email property set](~/assets/images/cloudflare-one/identity/keycloak/protocol-mapper.png) + 1. Go to **Clients** > your Cloudflare Access SAML client > **Client scopes**. + 2. Select the dedicated client scope for the client. + 3. Go to **Mappers** > **Add mapper** > **By configuration**. + 4. Select **User Property**. + 5. Set **Property** to `email` and **SAML Attribute Name** to `email`. - Next, you will need to integrate with Cloudflare Access. + Next, you will need to integrate with Cloudflare Access. -8. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Integrations** > **Identity providers**. +11. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Integrations** > **Identity providers**. -9. Under **Your identity providers**, select **Add new identity provider**. +12. Under **Your identity providers**, select **Add new identity provider**. -10. Choose **SAML** on the next page. +13. Choose **SAML** on the next page. You will need to input the Keycloak details manually. The examples below should be replaced with the specific domains in use with Keycloak and Cloudflare Access. | Field | Example | | --------------------------- | ------------------------------------------------------------------ | - | Single Sign-On URL | `https:///auth/realms/master/protocol/saml` | + | Single Sign-On URL | `https:///realms//protocol/saml` | | IdP Entity ID or Issuer URL | `https://.cloudflareaccess.com/cdn-cgi/access/callback` | - | Signing certificate | Use the X509 Certificate in the Realm Settings from Keycloak | + | Signing certificate | Use the X509 certificate from the Keycloak realm keys | -11. Select **Save**. +14. Select **Save**. To test that your connection is working, go to **Integrations** > **Identity providers** and select **Test** next to the login method you want to test.