Keycloak is an open source identity and access management solution built by JBoss. Need a Keycloak lab environment for testing? An example is available here.
Create the SAML client
In Keycloack, select “Clients” in the navigation bar and create a new client.
Configure the SAML client
Set the Client AD as the Access callback URL. The format will resemble the following URL; replace the
<auth_domain> value with your organization’s authentication domain.
Next, set the valid redirect URI to the Keycloak domain that you are using. For example,
Set the Master SAML Processing URL using the same Keycloak domain:
Finally, if you wish to enable client signatures, you will need to configure signing in the Cloudflare Access dashboard.
Set the built-in protocol mapper for the
Integrate with Cloudflare Access
You will need to input the Keycloak details manually. The examples below should be replaced with the specific domains in use with Keycloak and Cloudflare Access.
Single Sign-On URL:
IdP Entity ID or Issuer URL:
Signing certificate: Use the X509 Certificate in the Realm Settings from Keycloak
Save and Test
Click “Save” and then confirm the connection is working by clicking “Test”.
Keycloak can be configured to pass on custom SAML attributes for consumption by Access Policy. For example, role-based access policy.
In Keycloak, add the
role list inside of the “Builtin Protocol Mapper” tab.
In Cloudflare Access, add
Role as a SAML attribute. Click “Save” and test the connection.
Build a policy
In Access, build a policy to use a SAML attribute. In this example, use “Role”.
Keycloak: We are sorry… Invalid requester
Solution: Disable “Client Signature Required ” in Client Settings
Access Test: Response uses a certificate that is not configured. Solution: Use the X509 Certificate in the Realm Settings rather than from Client Setting.
Access Test: Successful bu email property is empty
Solution: Solution: Configure the protocol mapper in Keycoak’s SAML Client.