Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file not shown.
Binary file not shown.
Original file line number Diff line number Diff line change
Expand Up @@ -10,55 +10,73 @@ tags:

import { Render } from "~/components";

Keycloak is an open source identity and access management solution built by JBoss. If you need a Keycloak lab environment for testing, refer to [this example](https://github.com/mw866/tunnel-keycloak).
Keycloak is an open source identity and access management solution built by JBoss.

## Set up Keycloak (SAML)

To set up Keycloak (SAML) as your identity provider:

1. In Keycloak, select **Clients** in the navigation bar and create a new client.
1. In Keycloak, select the realm that you want Cloudflare Access to use.

2. Under **Client ID**, enter the following URL:
2. Go to **Clients** > **Create client**.

3. For **Client type**, select **SAML**.

4. Under **Client ID**, enter your Cloudflare Access callback URL:

```txt
https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback
```

<Render file="find-team-name" product="cloudflare-one" />

![SAML Client interface with team domain and callback in Client ID](~/assets/images/cloudflare-one/identity/keycloak/configure-client.png)
5. Select **Next**.

6. Change **Name ID format** to **email**.

7. In **Valid redirect URIs**, enter your Cloudflare Access callback URL:

```txt
https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback
```

3. Change the `Name ID Format` to `email`
8. In **Master SAML Processing URL**, enter the SAML endpoint for your Keycloak realm:

4. Next, set the valid redirect URI to the Keycloak domain that you are using. For example, `https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback`.
```txt
https://<keycloak_domain>/realms/<realm_name>/protocol/saml
```

5. Set the Master SAML Processing URL using the same Keycloak domain: `https://<keycloak_domain>/auth/realms/master/protocol/saml`.
Keycloak v17 and later use `/realms/<realm_name>/protocol/saml` by default. Keycloak v16 and earlier may use `/auth/realms/<realm_name>/protocol/saml` instead.

6. If you wish to enable client signatures, enable `Client Signature Required` and select **save**.
9. If you wish to enable client signatures, enable **Client Signature Required** and select **Save**.
1. You will need to [follow the steps here to get the certificate and enable it in the Cloudflare dashboard](/cloudflare-one/integrations/identity-providers/signed_authn/).

2. Import the Access certificate you downloaded into the `SAML Keys` tab. Use `Certificate PEM` as the format.
2. Import the Access certificate you downloaded into the **Keys** tab. Use **Certificate PEM** as the format.

7. Set the built-in protocol mapper for the `email` property.
10. Configure a protocol mapper for the user's email address.

![Protocol Mapper with email property set](~/assets/images/cloudflare-one/identity/keycloak/protocol-mapper.png)
1. Go to **Clients** > your Cloudflare Access SAML client > **Client scopes**.
2. Select the dedicated client scope for the client.
3. Go to **Mappers** > **Add mapper** > **By configuration**.
4. Select **User Property**.
5. Set **Property** to `email` and **SAML Attribute Name** to `email`.

Next, you will need to integrate with Cloudflare Access.
Next, you will need to integrate with Cloudflare Access.

8. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Integrations** > **Identity providers**.
11. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Integrations** > **Identity providers**.

9. Under **Your identity providers**, select **Add new identity provider**.
12. Under **Your identity providers**, select **Add new identity provider**.

10. Choose **SAML** on the next page.
13. Choose **SAML** on the next page.

You will need to input the Keycloak details manually. The examples below should be replaced with the specific domains in use with Keycloak and Cloudflare Access.

| Field | Example |
| --------------------------- | ------------------------------------------------------------------ |
| Single Sign-On URL | `https://<keycloak_domain>/auth/realms/master/protocol/saml` |
| Single Sign-On URL | `https://<keycloak_domain>/realms/<realm_name>/protocol/saml` |
| IdP Entity ID or Issuer URL | `https://<unique_id>.cloudflareaccess.com/cdn-cgi/access/callback` |
| Signing certificate | Use the X509 Certificate in the Realm Settings from Keycloak |
| Signing certificate | Use the X509 certificate from the Keycloak realm keys |

11. Select **Save**.
14. Select **Save**.

To test that your connection is working, go to **Integrations** > **Identity providers** and select **Test** next to the login method you want to test.
Loading