Following the success of the article about Amazon AWS and Keycloak, we would like to share an article on configuring SSO access to Google Apps using SAML protocol and Keycloak as an Identity Provider.
Read the step-by-step guide below:
Setting up Keycloak
- First — create a new SAML client in Keycloak:
Google SAML client configuration in Keycloak.
I haven’t found a saml-metadata.xml file for Google as a service provider, which you can import into Keycloak, so you have to set all client options manually.
- After initial client setup, go to “Mappers” and create an “email” mapper:
- Finally, go to “Installation” tab of the Google SAML client settings, and select:
“Format Option” — “SAML Metadata IDPSSODescriptor”.
- Copy the X509 certificate, which is located between
This is the certificate which we will upload to Google Apps.
- Now, Google SAML client is ready for usage.
Google Apps SSO setup
Keycloak user directory has a user with “email” attribute set to
- Go to “Security” -> “Set up single sign on (SSO)”
“Setup SSO with third party identity provider”
- In “Sign-in page URL” enter “Base URL” you’ve setup in Keycloak Google SAML client:
- For “Sign-out” page URL, you can set it to any URL you need.
In my case, I’ve set it to
- Upload your X509 certificate from Google SAML client from Keycloak.
- Also, check
“Use a domain specific issuer”
This checkbox will enable SSO specifically for your Google Apps domain.
Goole Apps SAML configuration.
And, that is it!
Now, when you go to your Google SAML client in Keycloak, and press the “Base URL”, for example:
Also, you can access specific Google Apps using SSO, directly from web browser.
If you enter in location bar —
You’ll be redirected to Keycloak for authentication, and after you authenticate, you’ll be redirected to specific google app.
Let us help you:
Still having trouble setting SSO authentification for Google Apps? Maybe you have some additional questions? Or just looking for tech assistance? You’ve come to the right place. Scandiweb is the most certified Magento agency in the world with more than a hundred experienced coders and more than a decade of experience under its belt. We’re here to help, so if you have any questions – drop us a line at firstname.lastname@example.org or check out our Technology services page.