Overview
This document presents basic integration configuration of Keycloak server 16.1.1 as SAML identity provider to access cnMaestro.
Pre-requisites
- Access to Keycloak server 16.1.1
- Latest Chrome browser (Version 115.0.5790.110 or above)
Step1: Create or select a Realm
- Create a new realm or select an existing one where you want to set up SAML.
- Navigate to the desired realm.
Step2: Create Role
-
Navigate to Configure > Roles> Click on Add a role.
-
Provide Role name and description > Save it.
Step3: Create Groups
-
Navigate to Manage > Groups > Click on New
-
Provide Group name > Save it.
Step4 : Assigning Roles to Groups
- Go to Role Mappings > Select respective role > click on Add Selected
Step5: Create User
-
Navigate to Manage > Users > Add User
-
Provide Username, Email, First Name, Last Name and select the created Group > Save it.
-
Navigate to credentials > Provide Password > click on Set password > Confirm it
-
Note: Create Roles, Groups, and users for each role-based access i.e. Superadmin, Administrator, Operator, Monitor and CPI.
Step6: Create Client
-
Navigate to Configure > Clients > Create.
-
Provide Client ID name and select SAML as Client Protocol > Save it.
-
Navigate to settings > Disable Client Signature Required
-
Provide Valid Redirect URIs, Base URL and Master SAML Processing URL > Save it.
-
Navigate to Mappers > Click on Add Builtin > Select role list and X500 givenName > Click on Add selected.
Step7: Configuration of cnMaestro
-
Login to cnMaestro > Navigate to Administration > Users > Authentication > SAML
-
Provide Connection Name.
-
Provide SAML Identity Provider Metadata XML (We can find Metadata XML in Keycloak server > Configure > Realm Settings > General > Endpoints > SAML 2.0 Identity provider Metadata.
-
Provide Entity ID URI (Client ID as Entity ID URI)
-
Select Default option for Validate Response Signature.
-
Provide desired cdn image url in Button Icon URL
-
In IdP Field Mappings, Provide the correct Role attribute name in Roles/Groups. (The name which is at Clients > click on respective client ID > Mappers > role list > Edit > Role attribute name).
-
Under Role Mappings - Role Mappings values must be same as the values configured for that user in keycloak server.
-
Click on Add
- For Detailed steps, Refer SAML section from cnMaestro On-Prem User Guide. Cambium Support page link - https://support.cambiumnetworks.com/files/cnmaestro/
Step8: Logging in to cnMaestro
- Use the credentials we configured while creating user in Keycloak server to access cnMaestro.
- Use SAML Tracer tool for debugging/inspecting the messages between identity providers and service providers.