Read more

Debug SAML in development using a local keycloak server

Martin Schaflitzl
April 09, 2024Software engineer at makandra GmbH
Say thanks3

Developing or debugging SAML functionality can be a hassle, especially when you need to go back and forth with someone external who is managing the identity provider (IDP).
But you can setup a local keycloak Show archive.org snapshot server to act as your IDP to play around with. This might seam intimidating, but is actually quite simple when using docker and turning off some verification steps.

1. Start a keycloak instance using docker

Illustration web development

Do you need DevOps-experts?

Your development team has a full backlog? No time for infrastructure architecture? Our DevOps team is ready to support you!

  • We build reliable cloud solutions with Infrastructure as code
  • We are experts in security, Linux and databases
  • We support your dev team to perform
Read more Show archive.org snapshot

mkdir -p keycloak_data && docker run --network=host -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin --volume ./keycloak_data:/opt/keycloak/data/h2/ quay.io/keycloak/keycloak:24.0.2 start-dev
The database of the server is persistent and stored in keycloak_data. You can stop the container and restart it without loosing your configuration.
You can access the UI http://localhost:8080/admin/. The default login is admin/admin (from the docker command).

2. Download the IDP metadata and install it in your app

The metadata can be found here http://localhost:8080/realms/master/protocol/saml/descriptor or under Realm Settings -> General -> Endpoints.

3. Add your app as a client

  • Go to Clients -> Create client
  • Select SAML for the Client Type
  • The Client id is the issuer from the devise SAML settings.
  • For Valid redirect URLs you can put * or the real url from your app.
  • You can disable client signing under Keys -> Signing keys config or place the keys into your app.

Now the basic auth flow should already work.
You can try and sign in through your app. There will likely be no keycloak login promt just a redirect, because you are already signed in as admin. But your app will likely require at least some SAML attributes to be present, so the login should still fail.

4. Adding SAML Attributes the the login response

Your app will require some Attributes to allow a login.

  • Edit your admin user and give him a email, first and last name
  • Create mappers for SAML attributes, go to Clients -> <your client> -> Client scopes -> Dedicated scope and mappers for this client:
    For example: To map user attributes go to Mappers -> Configure a new mapper -> User Attribute select a attribute of the user and make sure to fill in the SAML Attribute Name.
    For development the Hardcoded attribute might be all you need.
License for source code
Posted by Martin Schaflitzl to makandra dev (2024-04-09 14:19)
This website uses short-lived cookies to improve usability.
or learn more