Developing or debugging SAML functionality can be a hassle, especially when you need to go back and forth with someone external who is managing the identity provider (IDP).
But you can setup a local
keycloak
Show archive.org snapshot
server to act as your IDP to play around with. This might seam intimidating, but is actually quite simple when using docker and turning off some verification steps.
mkdir -p keycloak_data && docker run --network=host -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin --volume ./keycloak_data:/opt/keycloak/data/h2/ quay.io/keycloak/keycloak:24.0.2 start-dev
The database of the server is persistent and stored in keycloak_data
. You can stop the container and restart it without loosing your configuration.
You can access the UI http://localhost:8080/admin/. The default login is admin
/admin
(from the docker command).
The metadata can be found here http://localhost:8080/realms/master/protocol/saml/descriptor or under Realm Settings
-> General
-> Endpoints
.
Clients
-> Create client
Client Type
Client id
is the issuer
from the devise SAML settings.Valid redirect URLs
you can put *
or the real url from your app.Keys
-> Signing keys config
or place the keys into your app.Now the basic auth flow should already work.
You can try and sign in through your app. There will likely be no keycloak login promt just a redirect, because you are already signed in as admin
. But your app will likely require at least some SAML attributes to be present, so the login should still fail.
Your app will require some Attributes to allow a login.
Clients
-> <your client>
-> Client scopes
-> Dedicated scope and mappers for this client
:Mappers
-> Configure a new mapper
-> User Attribute
select a attribute of the user and make sure to fill in the SAML Attribute Name
.Hardcoded attribute
might be all you need.