How to Configure Workspace ONE Access using RH-SSO (aka Keycloak) as SAML IDP

No comments

There are a plenty of use cases when you configure AuthN and AuthZ using your Workspace ONE Access and sometimes, there must be a special setting to address specific cases. A customer of mine need to move to Red Hat SSO (RH-SSO) (or Keycloak – an Open Source identity and access management solution which I’m using when I created this blog entry).

Check it out the AuthN flow to be used on this scenario:

Source: Created by the Author

Steps:

  1. User hits Workspace ONE Access URL Portal
  2. HTTP Redirect to the SAML IDP configured
  3. AuthN is done using IDP defaults (LDAP, MFA, etc) and SAML Response is sent back do Workspace ONE Access
  4. AuthZ is sent to Workspace ONE Access and customer access portal

So let’s check how to set this up:

Requirements:

  • Workspace ONE Access
    • Configured with Active Directory domain
    • Users / Groups synchronized using Workspace ONE Access Connector
  • RH-SSO / Keycloak
    • Realm properly configured
    • User Federation configured with your Active Directory domain

Download Your Workspace ONE Access Service Provider XML

Besides you can configure it manually, let’s get use of XML file to make this configuration smoother. So access your Workspace ONE Access environment and follow the steps below:

  1. Click on Resources
  2. Click on Web Apps
  3. Click on Settings
Source: Screenshot from my lab
  1. Select SAML Medatada, right click on Service Provider (SP) metadata and Save Link as…
Source: Screenshot from my lab

Save it as SP.XML into your Desktop / Download folder to be used in.

Source: SP.xml file saved into my computer

Let’s Start with RH-SSO / Keycloak Configuration

First and foremost, we need to select REALM properly so, log into your Administrative Console and select your Realm.

Select the REALM you need to configure

Source: Screenshot from my lab

Configure a new CLIENT entrance to be pointed to your Workspace ONE Access environment

Source: Screenshot from my lab

Click on Create

Source: Screenshot from my lab

Click on Import and let’s select the SP.XML file we download from previous steps

Note: You don’t need to change to SAML because it will be changed properly after reading file.

Source: Screenshot from my lab

After selecting the SP.XML file, the following configuration will be set.

Source: Screenshot from my lab

Right after you click on Save, more configuration will be presented. We need to change a few thing to make it work perfectly:

Source: Screenshot from my lab

Let’s keep default configuration and change only the following item: Client Signature Required ==> OFF

Source: Screenshot from my lab

After that, scroll down and SAVE it.

Download RH-SSO / Keycloak SAML Endpoint Configuration

Now it’s time to get all RH-SSO / Keycloak configurations to be used into Workspace ONE Access.

On Administration Console (http://YOUR_SERVER:8080/auth/), click on Realm Settings, under General, select SAML 2.0 Identity Provider Metadata.

Source: Screenshot from my lab

The following tab will open with all XML settings we will need to import into Workspace ONE Access. Leave it open (or save it on your computer as well).

Source: Screenshot from my lab

Configure Workspace ONE Access with a New SAML IDP

Now it’s time to add a new SAML IDP into Workspace ONE Access.

Go to Integrations, Identity Providers.

Source: Screenshot from my lab

Click on Add Identity Provider and select Create SAML IDP.

Source: Screenshot from my lab

Give your SAML IDP a name to make it easy for you to select it afterwards. In my case Keycloak.

Source: Screenshot from my lab

Now it’s time to copy all the content from SAML 2.0 Identity Provider Metadata (RH SSO / Keycloak). (Remember we have this tab already open?)

Note: Whether you saved into your computer, just open it using a TextEditor to copy all content to use on the following steps.

Source: Screenshot from my lab

Paste it into SAML Metadata field and click on Process IdP Medatada

Source: Screenshot from my lab

You’ll notice Name ID Format, Name ID Value were populated accordingly.

Source: Screenshot from my lab

Change Name ID Policy in SAML Request to urn:oasis:names:tc:SAML:1.1:nameid-format:emaillAddress

Source: Screenshot from my lab

Select your Domain

Source: Screenshot from my lab

Select Network Range properly

Source: Screenshot from my lab

Add a name do identify your Authentication Method (e.g.: Keycloak-Password). This will be used afterwards on Policy definition.

Select urn:oasis:names:tc:SAML:2.0:ac:classes:Password as SAML Context

Source: Screenshot from my lab

Alter it all, click SAVE button

Source: Screenshot from my lab

Configure Policies

Now that you have your Identity Provider properly set, it’s time to configure your Policy to use this AuthN Method as desired.

Click on Resources, Policies and let’s Edit your Default Policy (or the policy you would like to use on your environment):

Source: Screenshot from my lab

Go to Configuration step and click on ALL RANGES (Web Browser as Device Type).

Source: Screenshot from my lab

Select Authentication Method name you added to start using it as your new SAML IDP

Source: Screenshot from my lab

Hit save and let’s test it out.

Note: Try using an Incognito Browser for testing purpose.

Testing Configuration

I created the following video to demonstrate how this integration will work.

Source: Video created by the Author

Did you like this configuration? Let me know what you think! I wish this can help you on your use case

Enjoy the ride!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.