Keycloak
Introduction
This guide will detail the various steps required to integrate Keycloadk as a SAML provider for your env0 organization. The current implementation is used for authentication only, where you define your users in your Keycloak to enable them access to your env0 organization.
Steps
- Login to your Keycloak account as an Administrator
- In the left-side menu click on the
Clients
tab - Click on the
Create
button - In the Client ID enter
urn:auth0:env0:YOUR_ENV0_ORG_ID
e.g.urn:auth0:env0:aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
- In the Client Protocol dropdown Select
saml
- Click on the
Save
button - Under the
Settings
tab, in theName
enterenv0
- In the
Name ID Format
dropdown selectemail
- in the
IDP Initiated SSO URL Name
enterenv0
- Open the
Fine Grain SAML Endpoint Configuration
dropdown - In the
Assertion Consumer Service POST Binding URL
and in theAssertion Consumer Service Redirect Binding URL
enterhttps:://login.app.env0.com/login/callback?connection=YOUR_ENV0_ORG_ID
- e.g.https://login.app.env0.com/login/callback?connection=aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
- Click on the
Save
button at the bottom
Mappers
- Click on the
Mappers
tab - Click on the
Add Builtin
button - Check the
X500 email
,X500 givenName
andX500 surname
and click on theAdd selected
button - Click on the
Edit
button in theX500 givenName
and change theSAML Attribute Name
to befirstName
and click on theSave
button - Click on the
Edit
button in theX500 email
and change theSAML Attribute Name
to beemail
and click on theSave
button - Click on the
Edit
button in theX500 surname
and change theSAML Attribute Name
to belastName
and click on theSave
button - If you like to also sync your Keycloak groups with env0 you need to click on the
Create
button in theMappers
tab - Under
Name
entergroups
- In the
Mapper Type
dropdown selectGroup list
- In the
Group attribute name
entergroups
- In the
Friendly Name
entergroups
- Leave the
SAML Attribute NameFormat
unselected and Make sure theSingle Group Attribute
is switched on - You can choose whether to send the full group path. If you like to get the full group path, switch it on, and the teams in env0 will include the full path of the group, e.g. if you have an
Front end
group inside aRnD
group the name of the team in env0 will be/Rnd/Front End
- Read more about Teams syncing with env0 here
- Click on the
Save
button
Installation
- In order to set your SAML inside env0 go to the
Installation
tab - In the
Format Option
dropdown selectMod Auth Mellon Files
and click on theDownload
button - Extract the downloaded
keycloak-mod-auth-mellon-sp-config.zip
file - Send us the
idp-metadata.xml
file from the extracted folder using this form
Updated 7 months ago