Set up Keycloack with Access
Create the SAML client
In Keycloack, select "Clients" in the navigation bar and create a new client.
Configure the SAML client
Set the Client AD as the Access callback URL. The format will resemble the following URL; replace the
<auth_domain>value with your organization's authentication domain.
Next, set the valid redirect URI to the Keycloak domain that you are using. For example,
Set the Master SAML Processing URL using the same Keycloak domain:
Set the built-in protocol mapper for the
Integrate with Cloudflare Access
You will need to input the Keycloak details manually. The examples below should be replaced with the specific domains in use with Keycloak and Cloudflare Access.
Single Sign-On URL:
https://<keycloak_domain>/auth/realms/master/protocol/samlIdP Entity ID or Issuer URL:
https://<unique_id>.cloudflareaccess.com/cdn-cgi/access/callbackSigning certificate: Use the X509 Certificate in the Realm Settings from Keycloak
Save and Test
Click "Save" and then confirm the connection is working by clicking "Test".
Optional: Custom SAML Attributes
Keycloak can be configured to pass on custom SAML attributes for consumption by Access Policy. For example, role-based access policy.
In Keycloak, add the
role listinside of the "Builtin Protocol Mapper" tab.
In Cloudflare Access, add
Roleas a SAML attribute. Click "Save" and test the connection.
Build a policy
In Access, build a policy to use a SAML attribute. In this example, use "Role".
Keycloak: We are sorry... Invalid requester
Solution: Disable "Client Signature Required " in Client Settings
Access Test: Response uses a certificate that is not configured. Solution: Use the X509 Certificate in the Realm Settings rather than from Client Setting.
Access Test: Successful bu email property is empty
Solution: Solution: Configure the protocol mapper in Keycoak's SAML Client.