Skip to main content

SAML with CyberArk

KeycloakCyberArk supportsintegrates multiplewith authenticationKnocknoc realms, so you must first selectvia the appropriate"Web realmApps" forcomponent, yourpassing organisation.through DoSAML not make any of the below changes in the Keycloak/master realm.assertions.

In this example our realm is called "Acme" and Keycloak is hosted at https://auth.example.com/.

Our Knocknoc instance is a cloud instance with URL https://keycloaktest.knoc.cloud. If you are using a cloud server, replace with your own URL, or if you are using an on-premise server, this is the base URL to your Knocknoc server.

Knocknoc SAML config

    1. PublicLog URL:in to the Knocknoc Admin interface
    2. On the Settings page configure the PublicURL (eg: https://knocknoc.yourserver.com)
    3. Create and upload a key/cert (see below)
    4. Save these settings, this enables the SAML metadata file for consumption by CyberArk.
    5. In another tab, open the CyberArk configuration and follow below. You need to return to this Knocknoc Admin tab for the final step, providing the CyberArk SSO URL back to Knocknoc.

    CyberArk configuration

    1. Create a Web App and establish the base settings.
    2. Create the SSO  link and copy the URL, log back in to Knocknoc in another tab and place this URL in the "samlMetadataUrl" setting, click Save in Knocknoc.
    3. Under "Service Provider Configuration" enter the SAML metadata URL in the location, and select Load. The URL will be https://keycloaktest.knoc.cloud
    4. Metadata URL https://auth.example.knocknoc.yourserver.com/realms/Acme/protocol/saml/descriptor (you can get this from Keycloak > Acme realm > Realm settings > General tab > Endpoints section > "SAML 2.0 Identity Provider Metadata").

SamlMetadataFile the idp-metadata.xml downloaded in the Mellon package from Keycloak

SamlKeyFile and SamlCertFile are currently required fields in Knocknoc but unused once you turn off Keycloak > Client > Keys >  "Client signature required"

So if we do a "choose SAML" provider option for Keycloak maybe these could be omitted or not mandatory

Keycloak config

  • Change to your realm (e.g. Acme, not master)
  • Create client
    • Type: SAML
    • Client ID: https://keycloaktest.knoc.cloud/api/saml/metadata
    • (Accept defaults, save)Save
      • Settings

        Help tab

        • guide
      • Keys tab
        • Client signature required: off
        • Encrypt assertions: off
      • Roles tab: -
      • Client scopes tab:
        • realName
          • Mapper type: user attribute
          • name: realName
          • User attribute: select the user attribute containing their name
          • Friendly name: realName
          • SAML attribute name: realName
        • nameid
          • Mapper type: User attribute mapperpair for NameID
            • uploading
          • name:in nameid
          • Name ID format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
          • User attribute: email
        • sessionDuration
          • Mapper type: user attribute
          • Name: sessionDuration
          • User attribute: select the user attribute containingto the Knocknoc sessionportal durationor inconnected seconds
            • IdP,
        • Editfollow the "dedicatedbelow:

          scope
          1. Generate a new certificate and mappers forkey, this client"can be done on a Linux host using the below command.
            openssl req -new -x509 -days 3650 -nodes -subj /CN=Knocknoc/ https://keycloaktest.knoc.cloud/api/saml/metadata-dedicated-out anduser-demo-knoc-cloud.crt add-keyout in mappers:user-demo-knoc-cloud.key
          2. TheIf clientrequired, scopeconvert "role_list"the shouldcertificate alreadyto existpfx byusing defaultthe following command.
            openssl pkcs12 -export -out user-demo-knoc-cloud.pfx -inkey user-demo-knoc-cloud.key -in user-demo-knoc-cloud.crt
      • Advanced tab
        • Browser flow: browser
        • Authentication flow overrides

    Back to top