Description
This article describes how to configure SAML SSO for administrator login with Keycloak acting as SAML IdP. It assumes that a realm is already configured in Keycloak.
Scope
FortiManager/FortiAnalyzer
Solution
1) In Keycloak, go to the 'Keys' tab of the Realm Settings and download the default RSA certificate used for signing the IdP responses:
2) Copy this certificate to a text editor and add:
-----BEGIN CERTIFICATE-----
<certificate copied from the Keycloak Realm>
-----END CERTIFICATE-----
Then save it as a .cer file
3) In FortiManager/FortiAnalyzer, Import the .cer file under 'Remote Certificates'.
Alternatively the remote certificate can be directly created in CLI.
4) In FortiManager/FortiAnalyzer, configure SAML SSO in SP mode and verify that the 'SP Address' is configured correctly. It should be either IP address or FQDN (host name only will not work), which the end SSO users can access.
5) Set IdP Settings to Custom, select the imported certificate, configure the IdP URLs and Apply.
For example:
IdP Entity ID: http://<keycloak_address>/auth/realms/ssolab
IdP Login URL: http://<keycloak_address>/auth/realms/ssolab/protocol/saml
IdP Logout URL: http://<keycloak_address>/auth/realms/ssolab/protocol/saml
6) After the settings are applied, the View SP Metadata button will become available.
7) Select the View SP Metadata option to open the metadata XML and copy/download it to file.
8) In Keycloak, create new client and import the FortiManager/FortiAnalyzer metadata XML file, then Save.
This will automatically populate the URLs in the Keycloak client settings.
9) Once the client is created, scroll down in 'Settings' and disable 'Client Signature Required'
At present FortiManager/FortiAnalyzer are not signing the requests.
10) In Keycloak Client configuration, go to the Client Scopes tab and remove the default 'role_list' from Assigned Default Client Scopes.
NOTE: If the default 'role_lis' is not removed, Keycloak may include many default 'Role' attributes in the <saml:AttributeStatement>, which can potentially cause FortiManager/FortiAnalyzer to return a 'Web Server Error 500' to the SAML assertion.
11) Still in the Client configuration, go to the 'Mappers' tab and select Create.
12) In the next Create Protocol Mapper menu, create username attribute as in the example below.
(Note that 'username' in SAML Attribute Name field must be in lowercase)
When done the Mappers tab should look like this:
And this is how the attribute statement should look like in the assertion, after a user is authenticated on Keycloak:
<saml:AttributeStatement>
<saml:Attribute
FriendlyName="username"
Name="username"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">ssouser1
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
13) (OPTIONAL) If IdP initiated SSO is required, configure the FortiManager/FortiAnalyzer 'SP ACS (Login) URL' also as 'IDP Initiated SSO URL Name' in the Keycloak Client Settings.
Keycloak will then generate a target URL that can be used to skip the default FortiManager/FortiAnalyzer login prompt instead of selecting the 'Login with SSO' button every time.
Related article:
