Connecting to a SAML provider

You can connect Keycloak to a Security Assertion Markup Language (SAML) provider. For more information, see SAML v2.0 identity providers in the Red Hat documentation.

Adding users

Connect to a SAML identity provider by adding an identity provider to the Keycloak realm.

  1. Log in to the Platform UI as a user with identity provider management permissions. For more information, see Cloud Pak roles and permissions.

  2. Click the Navigation Menu icon next to IBM Cloud Pak for Integration in the banner, then click Administration > Access control. The Keycloak access control console opens.

  3. In the navigation pane, click Identity providers.

  4. Select SAML, or if you have already created a provider, select the provider that you want to edit.

  5. Enter your SAML settings. To import configuration from a file, disable the Use entity descriptor setting first.

    Important: When configuring Keycloak, if you are using API Connect cluster instances and are upgrading to Cloud Pak for Integration 16.1.1 , make sure to accurately enter the usernames from the identity provider that were used with the previous identity and management system. Ensure that your Principal type is set to Subject NameID in your SAML configuration in Keycloak.

  6. (Optional) To ensure user data in Keycloak is kept up-to-date with the SAML provider each time a user logs in, set the Sync mode to Force.

  7. Click Save.

Users are be added to the Keycloak database when they first log in to Cloud Pak for Integration.

Mapping groups and roles

You can add identity provider users to Keycloak groups based on attributes provided by the identity provider. For more information about Keycloak groups, see Managing users in Keycloak.

  1. Log in to the Platform UI as a user with identity provider management permissions. For more information, see Cloud Pak roles and permissions.

  2. Click the Navigation Menu icon next to IBM Cloud Pak for Integration in the banner, then click Administration > Access control. The Keycloak access control console opens.

  3. In the navigation pane, click Identity providers.

  4. Select the provider that you want to edit.

  5. Click the Mappers tab.

  6. Click Add Mapper

    1. Enter a name (for example, groups).

    2. Select the Advanced Attribute to Group type.

    3. Enter the attribute used to identify that the user should be a member of the group.

    4. Select the group to which the user should be added.

  7. Click Save.