--- title: "Keycloak Harmony SASE Integration" slug: "keycloak-harmony-sase-integration" updated: 2026-04-07T08:59:09Z published: 2026-04-07T08:59:09Z canonical: "support.perimeter81.com/keycloak-harmony-sase-integration" stale: true --- > ## Documentation Index > Fetch the complete documentation index at: https://support.perimeter81.com/llms.txt > Use this file to discover all available pages before exploring further. # Keycloak Harmony SASE Integration Using Keycloak, Check Point SASE can authenticate users, ensuring a secure and efficient login process by utilizing the Security Assertion Markup Language (SAML) protocol. To configure Keycloak as an identity provider: 1. Log in to your Keycloak Administration Console: 1. Select the realm you want to configure. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Picture1(1).png) 2. Go to **Clients** and click **Create** **client**. The **Create client**page appears. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Picture2.png) 3. From the **Client type** list, select **SAM****L**. 4. In the **Client ID**field, enter the audience URI (SP Entity ID) of your Check Point SASE workspace: - For US based platform - `urn:auth0:perimeter81:{{WORKSPACE}}-oc` - For EU based platform - `urn:auth0:eu-sase-checkpoint:{{WORKSPACE}}-oc` - For AU based platform - `urn:auth0:au-sase-checkpoint:{{WORKSPACE}}-oc` - For IN based platform - `urn:auth0:in-sase-checkpoint:{{WORKSPACE}}-oc` For example - acme.sase.checkpoint.com workspace should translate to `urn:auth0:perimeter81:acme-oc` 5. Click **Next**. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Picture3(1).png) 6. In the **Valid redirect URIs**field, enter your workspace URL: - For US based platform - `https://{{your-workspace}}.sase.checkpoint.com/*` - For EU based platform - `https://{{your-workspace}}.eu.sase.checkpoint.com/*` - For AU based platform - `https://{{your-workspace}}.au.sase.checkpoint.com/*` - For IN based platform - `https://{{your-workspace}}.in.sase.checkpoint.com/*` 7. In the **Master SAML Processing URL**field**,**enter your Single sign-on URL: - For US based platform - `https://auth.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc` - For EU based platform - `https://auth.eu.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc` - For AU based platform - `https://auth.au.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc` - For IN based platform - `https://auth.in.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc` 8. Click **Save.** 9. Go to the **Access****capabilities** and do these in the **SAML capabilities** section.**![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Picture4.png)** 10. From the **Name ID format**list, select your email address. 11. Turn off the **Force POST billing** toggle button.**** 12. **Turn off the Include AuthnStatement**toggle button. 13. Go to the **Signature and Encryption**section**.** ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Picture5.png) 14. Turn off the**Sign documents** toggle button. 15. Turn off the **Sign assertio****n** toggle button. 16. From the **Signature algorithm** list, select **RSA_SHA256.** 17. From the **SAML signature key name** list, select **KEY_ID.** 18. Click the **Keys** tab. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Picture6.png) 19. Turn off the **Client signature required** toggle button. 20. Turn off the **Encrypt assertions** toggle button. 21. Click the **Client scopes** tab. 22. Select the assigned client scope named as your audience URI (SP Entity ID), for example, the name starts with *urn:auth0.**![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Picture7.png)* 23. Click the **Mappe****rs**tab. 24. Click **Add predefined mapper**. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Picture8.png) 25. Select these checkboxes: - **X500 email** - **X500 givenName** - **X500 surname****![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Picture9.png)**This configuration permits to pass through the SAML response the Users given name and surname. 2. To map the user profile, log in to the Check Point SASE Administrator Portal, click your profile icon at the top right corner and enter these: ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Picture10.png) 1. **First Name** 2. **Last Name** 3. Log in to your Keycloak Administration Console: 1. (Optional) Select **Add mapper**, then **By configuration** and select **Group list** to pass Group membership to Check Point SASE.**![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Picture11.png)** 2. In the **Name field,**enter**Group Mapper. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Picture12.png)** 3. In the**Group attribute name**field**,**enter**groups.** 4. From the **SAML Attribute NameFormat** list, select**Basic.** 5. Turn on the **Single Group Attribute** toggle button**.** 6. Turn off the**Full group path**toggle button. 7. Click**Save.** 8. Go to **Clients** and then click **Create** **client**. 9. Click the **Advanced** tab. 10. Click **Fine Grain SAML Endpoint Configuration.** **![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Picture14.png)** 11. In the **Assertion Consumer Service POST Binding URL**field**,**enter your Single sign-on URL**: - For US based platform - `https://auth.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc` - For EU based platform - `https://auth.eu.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc` - For AU based platform - `https://auth.au.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc` - For IN based platform - `https://auth.in.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc`** 12. In the **Assertion Consumer Service Redirect Binding URL**field, enter your Single sign-on URL:  **- For US based platform - `https://auth.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc` - For EU based platform - `https://auth.eu.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc` - For AU based platform - `https://auth.au.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc` - For IN based platform - `https://auth.in.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc`** 13. ****Click**Save.** 14. To collect Sign-in URL and X509 Signing Certificate of your realm to configure the Identity Providers configuration in Check Point SASE: 15. Go to **Realm settings**. 16. Click the **General** tab and click **SAML 2.0 Identity Provider Metadata** under Endpoints. 17. Copy the Sign-in URL and the X509 Signing Certificate. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Picture15.png) 4. To configure Check Point SASE, log in to the Check Point SASE Administrator Portal: 1. Go to **Settings** > **Identity** **Providers**. 2. Click **Add Provider**. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Picture16.png) 3. Select **SAML 2.0 Identity Providers**. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Picture17.png) 4. Click **Continue**. The **SAML 2.0 Identity Providers**window appears. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Picture18.png) 5. In the **Sign in URL** field, enter the sign-in url copied in step **3.i.i**. 6. In the **Domain Aliases** field, enter your organization domain. 7. In the **X509 Signing Certificate** field, enter the certificate copied in step **3.i.i**. 8. Click **Done**.****