Configuring Keycloak as SAML identity provider to access cnMaestro

This document presents basic integration configuration of Keycloak server 16.1.1 as SAML identity provider to access cnMaestro.


  • Access to Keycloak server 16.1.1
  • Latest Chrome browser (Version 115.0.5790.110 or above)

Step1: Create or select a Realm

  • Create a new realm or select an existing one where you want to set up SAML.
  • Navigate to the desired realm.

Step2: Create Role

Step3: Create Groups

Step4 : Assigning Roles to Groups

Step5: Create User

  • Navigate to Manage > Users > Add User

  • Provide Username, Email, First Name, Last Name and select the created Group > Save it.

  • Navigate to credentials > Provide Password > click on Set password > Confirm it

  • Note: Create Roles, Groups, and users for each role-based access i.e. Superadmin, Administrator, Operator, Monitor and CPI.

Step6: Create Client

  • Navigate to Configure > Clients > Create.

  • Provide Client ID name and select SAML as Client Protocol > Save it.

  • Navigate to settings > Disable Client Signature Required

  • Provide Valid Redirect URIs, Base URL and Master SAML Processing URL > Save it.

  • Navigate to Mappers > Click on Add Builtin > Select role list and X500 givenName > Click on Add selected.

Step7: Configuration of cnMaestro

  • Login to cnMaestro > Navigate to Administration > Users > Authentication > SAML

  • Provide Connection Name.

  • Provide SAML Identity Provider Metadata XML (We can find Metadata XML in Keycloak server > Configure > Realm Settings > General > Endpoints > SAML 2.0 Identity provider Metadata.

  • Provide Entity ID URI (Client ID as Entity ID URI)

  • Select Default option for Validate Response Signature.

  • Provide desired cdn image url in Button Icon URL

  • In IdP Field Mappings, Provide the correct Role attribute name in Roles/Groups. (The name which is at Clients > click on respective client ID > Mappers > role list > Edit > Role attribute name).

  • Under Role Mappings - Role Mappings values must be same as the values configured for that user in keycloak server.

  • Click on Add

Step8: Logging in to cnMaestro

  • Use the credentials we configured while creating user in Keycloak server to access cnMaestro.
  • Use SAML Tracer tool for debugging/inspecting the messages between identity providers and service providers.