Skip to content

Configure Keycloak

Jump to bottom
Chris Gralike edited this page Nov 5, 2025 · 2 revisions

WIP

These instructions were extracted from registered user issues. The author does not have access to a Keycloak environment to test the instructions below. Please report any incorrect instructions by creating an issue.

Configure samlsso with Keycloak

This guide provides a step-by-step walkthrough for configuring Keycloak as an Identity Provider (IdP) for the samlsso plugin (Service Provider) in GLPI.

This guide assumes you have administrative access to both your GLPI instance and your Keycloak realm.

Overview

The configuration is a four-part process:

  1. Create IdP in samlsso - Create a new IdP configuration in GLPI to get your unique SP URLs.
  2. Configure Keycloak Client - Create a new SAML client in Keycloak using the URLs from Part 1.
  3. Fix Keycloak Mappers - Adjust Keycloak's default mappers to prevent the "duplicate attribute" error.
  4. Finalize samlsso Configuration - Enter the Keycloak details back into the samlsso plugin.

Create IdP in SAMLSSO (GLPI)

Before you can configure Keycloak, you need to know what URLs to give it. Your plugin generates unique URLs for each IdP.

  1. In GLPI, navigate to Setup > Plugins > samlsso.
  2. Click the + icon to add a new Identity Provider.
  3. Give it a name, for example: Keycloak.
  4. Click Add.
  5. Find your new "Keycloak" configuration and click it.
  6. The new entry will provide your unique Service Provider (SP) URLs (ID, Acs, Logout) in the SP tab. Important make sure you copy these values from the config using the 'copy to clipboard' function.
  7. We advise NOT to use the META service because it 'leaks' important information about your setup.

Configure the Keycloak Client (identity provider)

Now, log in to your Keycloak admin console to create a new client.

Create Client

  1. Navigate to the correct Realm (e.g., master).
  2. Go to Clients and click Create client.
  3. On the "Add Client" screen:
  • Client type: SAML
  • Client ID: This must match your SP Entity ID from Part 1.
  • Name: GLPI (This is a friendly name).
  1. Click Next.

General and login settings

  1. On the client's Settings tab:
  • Home URL: https://your-glpi.com/
  • Valid redirect URIs: Add your ACS URL from Part 1.
  • Master SAML Processing URL: This must also be your ACS URL.

Security settings

  1. Still on the Settings tab, scroll down:
  • NameID format: Set this to email (or username, depending on what you use as the GLPI login field).
  • Sign documents: Set to On.
  • Sign assertions: Set to On.
  1. Click Save.

Fix Keycloack mappers

This is a very important step. Keycloak's default behavior often sends multiple SAML attributes with the same name (e.g., email), which the onelogin/php-saml library used by the plugin correctly rejects as a security risk. This will cause a SAML validation error with SAMLSSO.

You must ensure that only one mapper exists for each attribute you send to GLPI.

Create dedicated mappers

  1. Go to the Client scopes tab for your new GLPI client.
  2. Click the glpi-dedicated (or similarly named) scope.
  3. Click the Mappers tab. You will now create your attribute mappings.
  4. Click Add mapper > By configuration > User Attribute.
  5. Create mappers for the attributes GLPI needs:
  • Mapper 1: username
  • Name: username
  • User Attribute: username (or sAMAccountName if using LDAP)
  • SAML Attribute Name: username
  • SAML Attribute NameFormat: Basic
  • Mapper 2: email
  • Name: email
  • User Attribute: email
  • SAML Attribute Name: email
  • SAML Attribute NameFormat: Basic
  • ...repeat for lastname, firstname, etc.

Remove diplicate mappers

  1. Go back to your GLPI client's Client scopes tab.
  2. Look at the list of assigned scopes. You will see your glpi-dedicated scope, but you will also see default scopes like profile.
  3. Click on the profile scope (or any other default scope).
  4. Click its Mappers tab.
  5. You will likely see pre-configured mappers for username, email, etc. These are the duplicates.
  6. Delete any mappers here that conflict with the ones you just created in your glpi-dedicated scope.

By doing this, you guarantee that only one saml:Attribute for "email" (and "username", etc.) is sent in the SAML response, which will satisfy the plugin's security validation.

Finalize configuration (GLPI)

Get Keycloak IdP Details

  1. In your Keycloak admin console, go to Realm Settings.
  2. Click the SAML 2.0 Identity Provider Metadata link. This will open an XML file.
  3. Find and copy these three values:
  • entityID: This is your IdP Entity ID (e.g., https://keycloak.example.com/realms/master).
  • SingleSignOnService URL: The Location attribute for the HTTP-Redirect binding.
  • X.509 Certificate: The large block of text inside the ds:X509Certificate tag.

Update samlsso Plugin

  1. Go back to GLPI: Setup > Plugins > samlsso.
  2. Click on your Keycloak IdP configuration to edit it.
  3. Under the Identity Provider (IdP) Configuration tab:
  • IdP Entity ID: Paste the entityID from Keycloak.
  • Single Sign-On Service (SSO) URL: Paste the SingleSignOnService URL from Keycloak.
  • Single Sign Off Service (SLO) URL: Paste the SingleSignOffService URL from Keycloak.
  • x.509 Certificate: Paste the certificate data (including the ----CERT headers.)
  1. Under General Tab
  • Check 'Enable Identity Provider'
  1. Click save.

Test the Login

Log out of GLPI. On your GLPI login page, you should now see a "Login with Keycloak" (or similar) button. Click it to test the full SAML authentication flow.

Clone this wiki locally