XDMOD and Keycloak

authsources.php

$config = array(

    // An authentication source which can authenticate against both SAML 2.0
    // and Shibboleth 1.3 IdPs.
    'default-sp' => array(
        'saml:SP',

        // The entity ID of this SP.
        // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
        'entityID' => '<The ClientID assigned in Keycloak>',

        // The entity ID of the IdP this should SP should contact.
        // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
        'idp' => 'https://idp.example.com/auth/realms/<REALM NAME>',

        'privatekey' => '/etc/xdmod/simplesamlphp/cert/xdmod.key',
        'certificate' => '/etc/xdmod/simplesamlphp/cert/xdmod.crt',

        // The URL to the discovery service.
        // Can be NULL/unset, in which case a builtin discovery service will be used.
        'discoURL' => null,

        /*
         * WARNING: SHA-1 is disallowed starting January the 1st, 2014.
         *
         * Uncomment the following option to start using SHA-256 for your signatures.
         * Currently, SimpleSAMLphp defaults to SHA-1, which has been deprecated since
         * 2011, and will be disallowed by NIST as of 2014. Please refer to the following
         * document for more information:
         *
         * http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
         *
         * If you are uncertain about identity providers supporting SHA-256 or other
         * algorithms of the SHA-2 family, you can configure it individually in the
         * IdP-remote metadata set for those that support it. Once you are certain that
         * all your configured IdPs support SHA-2, you can safely remove the configuration
         * options in the IdP-remote metadata set and uncomment the following option.
         *
         * Please refer to the hosted SP configuration reference for more information.
          */
        'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',

        /*
         * The attributes parameter must contain an array of desired attributes by the SP.
         * The attributes can be expressed as an array of names or as an associative array
         * in the form of 'friendlyName' => 'name'.
         * The metadata will then be created as follows:
         * <md:RequestedAttribute FriendlyName="friendlyName" Name="name" />
         */
        /*'attributes' => array(
            'attrname' => 'urn:oid:x.x.x.x',
        ),*/
        /*'attributes.required' => array (
            'urn:oid:x.x.x.x',
        ),*/
        'authproc' => array(
            40 => array(
              'class' => 'core:AttributeMap',
              'urn:oid:0.9.2342.19200300.100.1.1' => 'username',
              'urn:oid:1.2.840.113549.1.9.1' => 'email_address',
              'urn:oid:2.5.4.42' => 'first_name',
              'urn:oid:2.5.4.4' => 'last_name'
            )
        )
    ),

    // This is a authentication source which handles admin authentication.
    'admin' => array(
        // The default is to use core:AdminPassword, but it can be replaced with
        // any authentication source.

        'core:AdminPassword',
    ),

);

Keycloak Client

{
  "id" : "43fc6a27-d53c-4593-87ab-ef1730f82b89",
  "clientId" : "<XDMOD Client ID>",
  "surrogateAuthRequired" : false,
  "enabled" : true,
  "alwaysDisplayInConsole" : false,
  "clientAuthenticatorType" : "client-secret",
  "redirectUris" : [ "https://<XDMOD server name>/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" ],
  "webOrigins" : [ "https://<XDMOD server name>" ],
  "notBefore" : 0,
  "bearerOnly" : false,
  "consentRequired" : false,
  "standardFlowEnabled" : true,
  "implicitFlowEnabled" : false,
  "directAccessGrantsEnabled" : false,
  "serviceAccountsEnabled" : false,
  "publicClient" : false,
  "frontchannelLogout" : true,
  "protocol" : "saml",
  "attributes" : {
    "saml.force.post.binding" : "true",
    "saml.encrypt" : "true",
    "saml_assertion_consumer_url_post" : "https://<XDMOD server name>/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp",
    "saml.server.signature" : "true",
    "saml.server.signature.keyinfo.ext" : "false",
    "saml.signing.certificate" : "OMIT",
    "saml_single_logout_service_url_redirect" : "https://<XDMOD server name>/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp",
    "saml.signature.algorithm" : "RSA_SHA256",
    "saml_force_name_id_format" : "false",
    "saml.client.signature" : "true",
    "saml.encryption.certificate" : "OMIT",
    "saml.authnstatement" : "true",
    "saml_name_id_format" : "username",
    "saml_signature_canonicalization_method" : "http://www.w3.org/2001/10/xml-exc-c14n#"
  },
  "authenticationFlowBindingOverrides" : { },
  "fullScopeAllowed" : true,
  "nodeReRegistrationTimeout" : -1,
  "defaultClientScopes" : [ "osc-saml-clients" ],
  "optionalClientScopes" : [ ],
  "access" : {
    "view" : true,
    "configure" : true,
    "manage" : true
  }
}

Keycloak Client Scopes

{
  "id" : "osc-saml-clients",
  "name" : "osc-saml-clients",
  "protocol" : "saml",
  "attributes" : {
    "display.on.consent.screen" : "true"
  },
  "protocolMappers" : [ {
    "id" : "cec43869-38d0-4a8f-9d8b-dd93e71b983f",
    "name" : "displayName",
    "protocol" : "saml",
    "protocolMapper" : "saml-javascript-mapper",
    "consentRequired" : false,
    "config" : {
      "single" : "true",
      "attribute.nameformat" : "URI Reference",
      "Script" : "/**\n * Available variables: \n * user - the current user\n * realm - the current realm\n * clientSession - the current clientSession\n * userSession - the current userSession\n * keycloakSession - the current userSession\n */\nuser.getFirstName() + ' ' + user.getLastName();",
      "friendly.name" : "displayName",
      "attribute.name" : "urn:oid::2.16.840.1.113730.3.1.241"
    }
  }, {
    "id" : "ef9766fd-9b1a-5ef5-b73f-9f88bf472e22",
    "name" : "X500 email",
    "protocol" : "saml",
    "protocolMapper" : "saml-user-property-mapper",
    "consentRequired" : false,
    "config" : {
      "attribute.nameformat" : "URI Reference",
      "user.attribute" : "email",
      "friendly.name" : "email",
      "attribute.name" : "urn:oid:1.2.840.113549.1.9.1"
    }
  }, {
    "id" : "197e693a-927d-5e66-8d90-f4ae7864c69e",
    "name" : "X500 givenName",
    "protocol" : "saml",
    "protocolMapper" : "saml-user-property-mapper",
    "consentRequired" : false,
    "config" : {
      "attribute.nameformat" : "URI Reference",
      "user.attribute" : "firstName",
      "friendly.name" : "givenName",
      "attribute.name" : "urn:oid:2.5.4.42"
    }
  }, {
    "id" : "a1c39d71-82d8-5a7a-a002-f1726a33f4dd",
    "name" : "username",
    "protocol" : "saml",
    "protocolMapper" : "saml-user-property-mapper",
    "consentRequired" : false,
    "config" : {
      "attribute.nameformat" : "URI Reference",
      "user.attribute" : "username",
      "friendly.name" : "userid",
      "attribute.name" : "urn:oid:0.9.2342.19200300.100.1.1"
    }
  }, {
    "id" : "bcaf5e1f-48ee-4d3c-aaac-44e26b60a407",
    "name" : "X500 surname",
    "protocol" : "saml",
    "protocolMapper" : "saml-user-property-mapper",
    "consentRequired" : false,
    "config" : {
      "attribute.nameformat" : "URI Reference",
      "user.attribute" : "lastName",
      "friendly.name" : "surname",
      "attribute.name" : "urn:oid:2.5.4.4"
    }
  }, {
    "id" : "b3ca3cd4-20a3-42af-a056-0002543c1004",
    "name" : "role list",
    "protocol" : "saml",
    "protocolMapper" : "saml-role-list-mapper",
    "consentRequired" : false,
    "config" : {
      "single" : "false",
      "attribute.nameformat" : "Basic",
      "attribute.name" : "Role"
    }
  } ]
}