Configuring Keycloak as SAML identity provider to access cnMaestro

Overview
This document presents basic integration configuration of Keycloak server 16.1.1 as SAML identity provider to access cnMaestro.

Pre-requisites

• Access to Keycloak server 16.1.1
• Latest Chrome browser (Version 115.0.5790.110 or above)

Step1: Create or select a Realm

• Create a new realm or select an existing one where you want to set up SAML.
• Navigate to the desired realm.

Step2: Create Role

• Navigate to Configure > Roles> Click on Add a role.
  

  

  image975×319 73.5 KB

• Provide Role name and description > Save it.
  

  

  image975×235 25.3 KB

Step3: Create Groups

• Navigate to Manage > Groups > Click on New
  

  

  image975×386 64.5 KB

• Provide Group name > Save it.
  

  

  image975×385 38.2 KB

Step4 : Assigning Roles to Groups

• Go to Role Mappings > Select respective role > click on Add Selected
  
  

  image975×316 49.2 KB

Step5: Create User

• Navigate to Manage > Users > Add User
  

  

  image975×371 48.2 KB

• Provide Username, Email, First Name, Last Name and select the created Group > Save it.
  

  

  image975×481 69.8 KB

• Navigate to credentials > Provide Password > click on Set password > Confirm it
  

  

  image975×324 52.1 KB

• Note: Create Roles, Groups, and users for each role-based access i.e. Superadmin, Administrator, Operator, Monitor and CPI.

Step6: Create Client

• Navigate to Configure > Clients > Create.
  

  

  image975×179 33.5 KB

• Provide Client ID name and select SAML as Client Protocol > Save it.
  

  

  image975×213 30.3 KB

• Navigate to settings > Disable Client Signature Required

• Provide Valid Redirect URIs, Base URL and Master SAML Processing URL > Save it.
  

  

  image975×384 40 KB

• Navigate to Mappers > Click on Add Builtin > Select role list and X500 givenName > Click on Add selected.
  

  

  image975×280 49.9 KB

Step7: Configuration of cnMaestro

• Login to cnMaestro > Navigate to Administration > Users > Authentication > SAML

• Provide Connection Name.

• Provide SAML Identity Provider Metadata XML (We can find Metadata XML in Keycloak server > Configure > Realm Settings > General > Endpoints > SAML 2.0 Identity provider Metadata.
  

  

  image975×336 56.9 KB

• Provide Entity ID URI (Client ID as Entity ID URI)

• Select Default option for Validate Response Signature.

• Provide desired cdn image url in Button Icon URL

• In IdP Field Mappings, Provide the correct Role attribute name in Roles/Groups. (The name which is at Clients > click on respective client ID > Mappers > role list > Edit > Role attribute name).

• Under Role Mappings - Role Mappings values must be same as the values configured for that user in keycloak server.

• Click on Add
  

  

  image975×517 130 KB

image975×643 50.3 KB

• For Detailed steps, Refer SAML section from cnMaestro On-Prem User Guide. Cambium Support page link - https://support.cambiumnetworks.com/files/cnmaestro/

Step8: Logging in to cnMaestro

• Use the credentials we configured while creating user in Keycloak server to access cnMaestro.
• Use SAML Tracer tool for debugging/inspecting the messages between identity providers and service providers.