Keycloak (SAML2 SSO)

Read below to learn how to configure Keycloak for Flexopus setup

Step 1: set up SSO 

1. Create a new Client
   Clients >  Create
   
2. Add SAML2 app to Flexopus.the Flexopus

Create a new SAML2 connection: Admin Dashboard > Settings > Authentication > Add Provider. You can link several identity providers to Flexopus via SAML2. We already provide separate URLs for each provider:

• Metadata File
• Metadata URL
• Entity ID
• Callback (ACS) URL. 

1. Download the Metadata File from Flexopus:
   Upload this metadata file to KeyCloak.
   The Client ID and Client Protocol fields are filled in automatically.
   Save your entries.

1. You do not need to make any changes to the default settings.
   
2. Click on the Mappers tab and then on the "Add Builtin" button.
   
3. Select the following options to have the "Default Mappers" applied:
   X500 Email, X500 givenname, X500 surname
   
4. Add a new Mapper:
   
5. The result should look like this:
   
6. (Optional) You can also synchronize the Department and Job Title attributes if they exist as text fields in the system.
7. In your Flexopus instance you can now store the following URL at METADATA URL:
   
   
   
8. Go to the Flexopus Dashboard. Select Settings > Authentication > Add provider > SAML2 App.
   Activate the SAML2 SSO
   Select Metadata URL.
   Enter the metadata URL from KeyCloak here.
   SAML2 login label: SSO login
   Synchronize groups: Deactivated
   Do not forget to save the settings.
9. Now you can test the connection by logging out of Flexopus and logging in using the new login button. 

Step 2: Set up group synchronisation with SAML2 attributes

1. Read the following instructions: https://help.flexopus.com/en/group-synchronisation-through-saml2
2. Add a new Mapper: memberOf
   
3. The result should look like this:
   
4. In Flexopus, select the "Array" option for SAML2 group synchronization.:
   
   
5. Log in again and then check whether the groups have been transferred.

R0052