This page provides an example of how to configure Cloud CMS Single Sign On (SSO) for JBoss KeyCloak.
Keycloak is an open-source Identity and Access Management product provided by JBoss/RedHat.
Keycloak plays the role of an Identity Provider that speaks SAML 2.0 and/or JWT. Cloud CMS integrates via either of these mechanism and can therefore integrate to Keycloak straight away as an identity provider.
Cloud CMS provides Single Sign On (SSO) Enterprise support for a variety of Identity Providers using SAML 2.0 and/or JWT. For more information, see Cloud CMS Single Sign On (SSO).
You can learn more about Keycloak here:
In this section, we'll set up Keycloak with some sample data that we can use to demonstrate SSO.
Keycloak offers an Administration Console that is generally available at:
It may be on a different port depending on the exact version of Keycloak that you're using. This example was written using Keycloak 3.4.6 (which is a bit older) but the steps provided here should be more or less consistent.
Enter the username and password you created on the Welcome Page or the add-user-keycloak script. If you're using a standard configuration, then this may simply be
Once you have logged in, you can see the Admin Console with a Master realm already present.
Go to Clients in the left menu bar. Click on the Create button the right hand side of the page.
You will see a form like this:
Enter in the Client ID of the client. This can be any name but we recommend
Select saml in the Client Protocol drop down box.
Click Save. This will create the client and bring you to the client Settings tab as below:
By default, Keycloak sets up your client to work with default settings. We need to make a few adjustments to have it work correctly with Cloud CMS.
Include AuthnStatementshould be set to
Sign Documentsshould be set to
Signature Algorithmshould be set to
Force POST Bindingshould be set to
Valid Redirect URIsshould have an entry for
There are a lot of other options available. For more information on these options, please check out:
Let us now create a user named Joe Smith.
Go to Users in the left menu bar. Then, on the right side of the empty user list, you should see an Add User button.
Click the Add User button to create a new user.
The only required field is Username. Click Save.
Once the User is created, go to the Credentials tab and add a Password for the User which will be used to login.
You will need to click the Reset Password button to apply your changes.
Finally, click on the Attributes tab and add three attributes.
Cloud CMS supports mapping user attributes from SAML Assertions back into the Cloud CMS user object. It also supports group mappings to auto-sync project and team memberships, but we'll leave that for another time.
We now want to tell Keycloak to hand back these three attributes (
name) as part of the SAML 2.0 assertion response. That way, Cloud CMS will learn about these properties when a user successfully logs in and can use them to automatically keep the Cloud CMS user account in sync.
Go to your
myapp Client by clicking on Clients on the left-hand menu bar. Then click on
Click on the Mappers tab.
Click on Create button present on the right side of the Mappers tab and start creating a mapper.
An example of creating a Mapper "First Name" is:
In a new browser window, log in to the Cloud CMS user interface. Click on
Manage Platform and then pick
SSO on the left-hand menu.
SAML 2.0 from the radio button list.
And then fill out the form.
The following is required:
SAML URLshould be
This may vary depending on your installation of Keycloak (port, etc).
SAML Issuershould match the Keycloak Client ID of
Save your changes and log out.
You can now verify that Cloud CMS is configured to use SAML 2.0:
- Log out of your current Cloud CMS account
- Log back in
- While Logging in again, you will be re-directed to Keycloak
- Keycloak will ask for your username and password.
joesmithand provide Joe's password.
- If the credentials match, you will be redirected back to Cloud CMS.
- Cloud CMS will automatically log you in and create your user if it doesn't yet exist.
- Proceed and be merry.