Keycloak SSO

​

Prepare the SSO form in Minimus

1. Go to Manage > Users & Groups (direct link)
2. Click Configure SSO at the top of the page to open the Minimus SSO form.
   Keep this form open and available in another browser tab as you configure the SAML app in Keycloak.
3. The form has 4 parts:
   1. Configure Minimus as a custom app in your identity provider - You will copy these parameters from Minimus to Keycloak in the next steps.
      1. SP Entity ID
      2. Reply URL (Callback / ACS URL)
      3. Relay State (optional) - If you leave the Relay State blank, users will only be able to login with SSO from the Minimus homepage.
   2. Connect Minimus to your identity provider - You will fetch these parameters from your Keycloak client and save them to the Minimus form:
      1. Login SSO URL
      2. IdP Entity ID
      3. Certificate
   3. SAML Attribute Mapping - You will fetch the Keycloak claim names for the following parameters and save them to the Minimus form:

      Minimus Parameter	Keycloak Attribute Name
      Email	user.mail
      Full Name	user.userprincipalname

   4. Group Mapping is optional and can be enabled if you plan to configure user groups. See the instructions in user groups.

​

Add Minimus as a client in Keycloak

1

Create a Minimus client in Keycloak

The first step is to create the Minimus client in Keycloak and link it to your Minimus Console.

1. Go to Clients to begin.
2. Select the option Create client.
3. Select Client Type - SAML.
4. Copy the value from Minimus SP Entity ID to the Client ID field.
5. Set the following as https://images.minimus.io:
   1. Root URL
   2. Home URL
   3. Valid post logout redirect URIs
6. Set the Valid Redirect URI to  https://images.minimus.io/*
7. Set the IDP-Initiated SSO URL name as minimus
8. Set IDP Initiated SSO Relay State Relay State, for example:
   {
     "tenantName": "My-Org"
   }
   
9. Set the Master SAML Processing URL as https://images.minimus.io/saml/callback
10. Save your changes.

2

Configure the SAML

1. Configure the following SAML capabilities:
   • Name ID format - email
   • Force name ID format - ON
   • Force POST binding - ON
     
2. Go to the Keys tab and turn off Client signature required.
3. Go to the Client scopes tab and click on your Client ID.
4. Click on Configure a new mapper and select User Property.
5. Fill the mapper attributes:
   • Name - email
   • Property - email
   • SAML Attribute Name - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
   • SAML Attribute NameFormat - Basic
6. Save your changes.

3

Configure a mapper

1. Click on Configure a new mapper and select User Property.
2. Fill the mapper attributes:
   • Name - fullName
   • Property - firstName
   • SAML Attribute Name - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
   • SAML Attribute NameFormat - Basic
3. Save your changes. 

4

Copy the certificate

1. In the left menu, select Realm settings.
2. In the General tab, select SAML 2.0 Identity Provider Metadata.
3. Copy the certificate between <ds:X509Certificate> and </ds:X509Certificate>.

5

Configure the SAML in Minimus

1. In your Minimus console, go to Manage > Users & Groups > Configure SSO.
2. Fill the following fields:
   • IdP Entity ID - https://YOUR_KEYCLOAK_EXTERNAL_IP_OR_URL/realms/master
   • Login URL - https://YOUR_KEYCLOAK_EXTERNAL_IP_OR_URL/realms/master/protocol/saml
   • Certificate - Paste the certificate you copied in the previous step.
3. SAML Attribute Mapping setup - put the following values in the fields:
   • Email - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
   • Full Name - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
   • Group Mapping - groups
4. Save your changes. 

​

Troubleshooting SSO access

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----