keycloak-scim/docs/guides/securing-apps/partials/saml/general-config.adoc

[[_saml-general-config]]

== Configuration

The SAML client adapter is configured by a XML file `/WEB-INF/keycloak-saml.xml` placed inside the WAR deployment. The configuration might look like the following:

[source,xml,subs="attributes+"]
----
<keycloak-saml-adapter xmlns="urn:keycloak:saml:adapter"
                       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                       xsi:schemaLocation="urn:keycloak:saml:adapter {saml_adapter_xsd_urn}">
    <SP entityID="http://localhost:8081/sales-post-sig/"
        sslPolicy="EXTERNAL"
        nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
        logoutPage="/logout.jsp"
        forceAuthentication="false"
        isPassive="false"
        turnOffChangeSessionIdOnLogin="false"
        autodetectBearerOnly="false">
        <Keys>
            <Key signing="true" >
                <KeyStore resource="/WEB-INF/keystore.jks" password="store123">
                    <PrivateKey alias="http://localhost:8080/sales-post-sig/" password="test123"/>
                    <Certificate alias="http://localhost:8080/sales-post-sig/"/>
                </KeyStore>
            </Key>
        </Keys>
        <PrincipalNameMapping policy="FROM_NAME_ID"/>
        <RoleIdentifiers>
            <Attribute name="Role"/>
        </RoleIdentifiers>
        <RoleMappingsProvider id="properties-based-role-mapper">
            <Property name="properties.resource.location" value="/WEB-INF/role-mappings.properties"/>
        </RoleMappingsProvider>
        <IDP entityID="idp"
             signaturesRequired="true">
        <SingleSignOnService requestBinding="POST"
                             bindingUrl="http://localhost:8081{kc_realms_path}/demo/protocol/saml"
                    />

            <SingleLogoutService
                    requestBinding="POST"
                    responseBinding="POST"
                    postBindingUrl="http://localhost:8081{kc_realms_path}/demo/protocol/saml"
                    redirectBindingUrl="http://localhost:8081{kc_realms_path}/demo/protocol/saml"
                    />
            <Keys>
                <Key signing="true">
                    <KeyStore resource="/WEB-INF/keystore.jks" password="store123">
                        <Certificate alias="demo"/>
                    </KeyStore>
                </Key>
            </Keys>
        </IDP>
     </SP>
</keycloak-saml-adapter>
----    

You can use `${r"${...}"}` enclosure as System property replacement. For example `${r"${jboss.server.config.dir}"}`.
To get detailed information of the different elements in the XML configuration file see <@links.securingapps id="saml-galleon-layers-detailed-config"/>.

include::partials/saml/required_per_war_configuration.adoc[]
include::partials/saml/securing_wars.adoc[]
include::partials/saml/jboss-adapter-samesite-setting.adoc[]
Revert "fixed Wildfly mentions and faulty links with underscores" This reverts commit 1ecbc1ba14075203af437295927699adf84cc428. 2019-01-21 17:01:40 +00:00			`[[_saml-general-config]]`
initial saml 2016-06-02 16:07:45 +00:00
Move saml documentation to guides Closes #31330 Signed-off-by: rmartinc <rmartinc@redhat.com> 2024-07-22 08:16:24 +00:00			`== Configuration`
initial saml 2016-06-02 16:07:45 +00:00
Move saml documentation to guides Closes #31330 Signed-off-by: rmartinc <rmartinc@redhat.com> 2024-07-22 08:16:24 +00:00			The SAML client adapter is configured by a XML file `/WEB-INF/keycloak-saml.xml` placed inside the WAR deployment. The configuration might look like the following:
initial saml 2016-06-02 16:07:45 +00:00
Fix URN of SAML adapter schema 2017-08-30 07:26:56 +00:00			`[source,xml,subs="attributes+"]`
initial saml 2016-06-02 16:07:45 +00:00			`----`
KEYCLOAK-3870 Refer to keycloak-saml.xml schema in the example 2016-11-09 10:02:53 +00:00			`<keycloak-saml-adapter xmlns="urn:keycloak:saml:adapter"`
			`xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"`
Fix URN of SAML adapter schema 2017-08-30 07:26:56 +00:00			`xsi:schemaLocation="urn:keycloak:saml:adapter {saml_adapter_xsd_urn}">`
initial saml 2016-06-02 16:07:45 +00:00			`<SP entityID="http://localhost:8081/sales-post-sig/"`
			`sslPolicy="EXTERNAL"`
			`nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"`
			`logoutPage="/logout.jsp"`
			`forceAuthentication="false"`
			`isPassive="false"`
KEYCLOAK-4980 SAML adapter should return 401 when unauthenticated Ajax client accesses 2017-06-06 14:50:33 +00:00			`turnOffChangeSessionIdOnLogin="false"`
			`autodetectBearerOnly="false">`
initial saml 2016-06-02 16:07:45 +00:00			`<Keys>`
			`<Key signing="true" >`
			`<KeyStore resource="/WEB-INF/keystore.jks" password="store123">`
			`<PrivateKey alias="http://localhost:8080/sales-post-sig/" password="test123"/>`
			`<Certificate alias="http://localhost:8080/sales-post-sig/"/>`
			`</KeyStore>`
			`</Key>`
			`</Keys>`
			`<PrincipalNameMapping policy="FROM_NAME_ID"/>`
RHSSO-655: fixed 2 errors 2016-12-04 20:44:53 +00:00			`<RoleIdentifiers>`
initial saml 2016-06-02 16:07:45 +00:00			`<Attribute name="Role"/>`
RHSSO-655: fixed end tag change missed in initial commit 2016-12-05 15:14:37 +00:00			`</RoleIdentifiers>`
[KEYCLOAK-7264] Add documentation for the new RoleMappingsProvider SPI 2019-08-01 04:42:11 +00:00			`<RoleMappingsProvider id="properties-based-role-mapper">`
			`<Property name="properties.resource.location" value="/WEB-INF/role-mappings.properties"/>`
			`</RoleMappingsProvider>`
initial saml 2016-06-02 16:07:45 +00:00			`<IDP entityID="idp"`
			`signaturesRequired="true">`
			`<SingleSignOnService requestBinding="POST"`
Update documentation for Quarkus distribution (#1385) 2022-02-08 13:07:16 +00:00			`bindingUrl="http://localhost:8081{kc_realms_path}/demo/protocol/saml"`
initial saml 2016-06-02 16:07:45 +00:00			`/>`

			`<SingleLogoutService`
			`requestBinding="POST"`
			`responseBinding="POST"`
Update documentation for Quarkus distribution (#1385) 2022-02-08 13:07:16 +00:00			`postBindingUrl="http://localhost:8081{kc_realms_path}/demo/protocol/saml"`
			`redirectBindingUrl="http://localhost:8081{kc_realms_path}/demo/protocol/saml"`
initial saml 2016-06-02 16:07:45 +00:00			`/>`
			`<Keys>`
			`<Key signing="true">`
			`<KeyStore resource="/WEB-INF/keystore.jks" password="store123">`
			`<Certificate alias="demo"/>`
			`</KeyStore>`
			`</Key>`
			`</Keys>`
			`</IDP>`
			`</SP>`
			`</keycloak-saml-adapter>`
			`----`

Move saml documentation to guides Closes #31330 Signed-off-by: rmartinc <rmartinc@redhat.com> 2024-07-22 08:16:24 +00:00			You can use `${r"${...}"}` enclosure as System property replacement. For example `${r"${jboss.server.config.dir}"}`.
			`To get detailed information of the different elements in the XML configuration file see <@links.securingapps id="saml-galleon-layers-detailed-config"/>.`
initial saml 2016-06-02 16:07:45 +00:00
Move saml documentation to guides Closes #31330 Signed-off-by: rmartinc <rmartinc@redhat.com> 2024-07-22 08:16:24 +00:00			`include::partials/saml/required_per_war_configuration.adoc[]`
			`include::partials/saml/securing_wars.adoc[]`
			`include::partials/saml/jboss-adapter-samesite-setting.adoc[]`