Contents x
    Keycloak Harmony SASE Integration
    • 24 Jul 2024
    • 2 Minutes to read
    • Contributors
      Contents

      Keycloak Harmony SASE Integration

      • Updated on 24 Jul 2024
      • 2 Minutes to read
      • Contributors
        Article summary

        Using Keycloak, Harmony SASE can authenticate users, ensuring a secure and efficient login process by utilizing the Security Assertion Markup Language (SAML) protocol.

        To configure Keycloak as an identity provider:

        1. Log in to your Keycloak Administration Console:
          1. Select the realm you want to configure.
          2. Go to Clients and click Create client.
            The Create client page appears.
          3. From the Client type list, select SAML.
          4. In the Client ID field, enter the audience URI (SP Entity ID) of your Harmony SASE workspace:
            • For US based platform - urn:auth0:perimeter81:{{WORKSPACE}}-oc
            • For EU based platform - urn:auth0:eu-sase-checkpoint:{{WORKSPACE}}-oc
              For example - acme.perimeter81.com workspace should translate to urn:auth0:perimeter81:acme-oc
          5. Click Next.
          6. In the Valid redirect URIs field, enter your workspace URL:
            • For US based platform - https://{{your-workspace}}.perimeter81.com/*
            • For EU based platform - https://{{your-workspace}}.eu.sase.checkpoint.com/*
          7. In the Master SAML Processing URL fieldenter your Single sign-on URL:
            • For US based platform - https://auth.perimeter81.com/login/callback?connection={{WORKSPACE}}-oc
            • For EU based platform - https://auth.eu.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc
          8. Click Save.
          9. Go to the Access capabilities and do these in the SAML capabilities section.
          10. From the Name ID format list, select your email address.
          11. Turn off the Force POST billing toggle button.
          12. Turn off the Include AuthnStatement toggle button.
          13. Go to the Signature and Encryption section.
          14. Turn off the Sign documents toggle button.
          15. Turn off the Sign assertion toggle button.
          16. From the Signature algorithm list, select RSA_SHA256.
          17. From the SAML signature key name list, select KEY_ID.
          18. Click the Keys tab.
          19. Turn off the Client signature required toggle button.
          20. Turn off the Encrypt assertions toggle button.
          21. Click the Client scopes tab.
          22. Select the assigned client scope named as your audience URI (SP Entity ID), for example, the name starts with urn:auth0.
          23. Click the Mappers tab.
          24. Click Add predefined mapper.
          25. Select these checkboxes:
            • X500 email
            • X500 givenName
            • X500 surnameThis configuration permits to pass through the SAML response the Users given name and surname.
        2. To map the user profile, log in to the Harmony SASE Administrator Portal, click your profile icon at the top right corner and enter these:
          1. First Name 
          2. Last Name
        3. Log in to your Keycloak Administration Console: 
          1. (Optional) Select Add mapper, then By configuration and select Group list to pass Group membership to Harmony SASE.
          2. In the Name field, enter Group Mapper.
          3. In the Group attribute name fieldenter groups.
          4. From the SAML Attribute NameFormat list, select Basic.
          5. Turn on the Single Group Attribute toggle button.
          6. Turn off the Full group path toggle button.
          7. Click Save.
          8. Go to Clients and then click Create client.
          9. Click the Advanced tab.
          10. Click Fine Grain SAML Endpoint Configuration. 
          11. In the Assertion Consumer Service POST Binding URL fieldenter your Single sign-on URL:    
          12. In the Assertion Consumer Service Redirect Binding URL field, enter your Single sign-on URL:   
          13. Click Save.
          14. To collect Sign-in URL and X509 Signing Certificate of your realm to configure the Identity Providers configuration in Harmony SASE:
          15. Go to Realm settings.
          16. Click the General tab and click SAML 2.0 Identity Provider Metadata under Endpoints.
          17. Copy the Sign-in URL and the X509 Signing Certificate.
        4. To configure Harmony SASE, log in to the Harmony SASE Administrator Portal:
          1. Go to Settings > Identity Providers.
          2. Click Add Provider.
             
          3. Select SAML 2.0 Identity Providers.
          4. Click Continue.
            The SAML 2.0 Identity Providers window appears.
          5. In the Sign in URL field, enter the sign-in url copied in step 3.i.i.
          6. In the Domain Aliases field, enter your organization domain.
          7. In the X509 Signing Certificate field, enter the certificate copied in step 3.i.i.
          8. Click Done.


        Was this article helpful?
        What's Next