Configure SAML with Keycloak

This page explains how to integrate Keycloak as a SAML Identity Provider to authenticate your users on Reemo.

Note

Depending on your deployment mode, SAML can be enabled at the instance level (Private Cloud / On-Prem) or at the organization level (Public Cloud).
Screenshots and labels may vary slightly depending on your interface version.

Configure SAML in Reemo

Case 1: Instance level (Private Cloud / On-Prem)
Configure SAML in the instance’s Admin Area, under the Connectors menu.
Configure SAML in the instance Admin Area

Access Connectors in the instance Admin Area.

Case 2: Organization level (Public Cloud)
From your Organization > Connectors, configure SAML for that organization.
Configure SAML at the organization level

Configure SAML in Organization > Connectors.

Create the SAML connector in Reemo

  1. Create a new Connector of type SAML Connector.

  2. Fill in the basic fields:

    • Friendly Name: name displayed to your users (e.g. Keycloak).

    • Issuer / App URI ID: reemo.

    • The other fields (e.g. Entry Point, Certificate) will be filled in after the Keycloak configuration.

Creating a SAML connector in Reemo

Fill in the basic fields of the SAML connector.


SAML connector creation form

Enter the friendly name and the Issuer (reemo), then save.

  1. Validate to generate the connector’s callback URL. You will need it in Keycloak.

Retrieving the connector callback URL

Copy the callback URL generated by the SAML connector.

Configure the SAML client in Keycloak

  1. Log in to your Keycloak Admin Console.

  2. Select the target Realm from the dropdown in the top left.

  3. In the left menu, go to Clients > Create client.

Creating a SAML client in Keycloak

Create a new SAML client in Keycloak.

  1. Fill in the client parameters:

    • Client type: SAML.

    • Client ID: reemo.

Creating a SAML client in Keycloak

Set the client type and Client ID.

  1. In the client settings, configure:

    • Valid redirect URIs: paste the callback URL from the Reemo connector.

    • Master SAML Processing URL: paste the callback URL from the Reemo connector.

    Keycloak SAML client settings

    Fill in the redirect URIs and the Master SAML Processing URL.

    • Sign documents: ON.

    • Sign assertions: ON.

Keycloak SAML client settings

Enable Sign documents and Sign assertions.

  1. Go to the client’s Keys tab and disable the Client signature required option.

Warning

Reemo does not sign outgoing SAML requests. If Client signature required remains enabled, Keycloak will reject authentication requests.

Disable Client signature required in Keycloak

Disable Client signature required in the client Keys tab.

  1. Go to the Client scopes tab > click on the dedicated scope (e.g. reemo-dedicated) > Add mapper > By configuration.

    Add the following attribute mappers:

    Mapper type

    Name

    Property

    SAML Attribute Name

    User Property

    username

    username

    username

    User Property

    email

    email

    email

    User Attribute

    fullname

    fullname

    fullname

Warning

The SAML Attribute Name field is mandatory on each mapper. Without it, attributes arrive anonymous in the SAML response and Reemo rejects them.

Warning

Keycloak does not natively concatenate first name and last name. You must create a custom fullname attribute on each user in the Keycloak console.

SAML attribute mappers in Keycloak
SAML attribute mappers in Keycloak
SAML attribute mappers in Keycloak

Configure the email, username and fullname mappers in Client scopes.

  1. Retrieve the X.509 certificate and the Entry Point (SSO URL):

    • Certificate: from Realm settings > Keys > RS256 row > Certificate button. Copy the raw base64 content.

    • Entry Point: follows the format:

    https://[keycloak_url]/realms/[realm]/protocol/saml

Warning

Use the RS256 certificate from the Realm, not from the client. Paste only the raw base64 without headers, otherwise Reemo will not be able to validate the signed assertions.

X.509 certificate and Keycloak SSO URL

Retrieve the RS256 Realm certificate from Realm settings > Keys.

  1. Complete the Reemo SAML connector with this information. Enable the connector (check Enabled) then click Update to save.

Declare users

Two approaches are available to grant SSO access to users.

Approach A: Explicit provisioning from the organization
Use the Provision SAML User button to add users by entering their email.
SAML User provisioning button in the organization

Provision SAML users directly in the organization.

SAML user add popup by email

Add users by email via the provisioning popup.

Approach B: Just-In-Time (JIT) Provisioning
Enable Just In Time Provisioning on the connector: accounts are created automatically on the first successful SSO login.
Just In Time Provisioning option

Enable Just In Time Provisioning to create accounts on first login.

Log in via SAML

Once the connector is active and users are declared (or JIT is enabled), your users can log in:

  • General access to your portal (Private Cloud / On-Prem):

    https://[portal_url]/

  • Direct access to the organization (Public Cloud):

    https://[portal_url]/login/[organization_shortname]
SSO authentication choice screen

Select SAML then Next to be redirected to Keycloak.