Setup PHPIPAM with SAML and Keycloak

---

In keycloak

1. Set the realm IPAM will auth with
2. Click Client Scopes on the left menu
3. Click role_list (saml), should have saml next to it
4. Click Mappers at the top
5. Click role list
6. Set Single Role Attribute to ON and press save
7. On the breadcrumbs at the top, click Client Scopes

Now you need to create the Client

1. Click Clients on the left menu
2. Click Create on the right
3. Give your Client an ID
4. Set the Protocol to saml
5. Set the Client SAML Endpoint to https://<YOUR URL>/saml2
6. Click Save

Now you need to add a redirect URI and a base URL

1. Find Valid Redirect URIs and add https://<YOUR URL>/*
2. Find Base URL and set to https://<YOUR URL>
3. Click save at the bottom.

Setup IPAM

1. Login as an Admin
2. On the Administration, select Authentication methods
3. From the Create new button, select Create new SAML2 authentication
4. set the Description
5. set Client ID to the value of the Keycloak client
6. set IDP issuer to https://<keycloak URL>/auth/realms/<REALM>
7. set IDP login url and IDP logout url to https://<keycloak URL>/auth/realms/<REALM>/protocol/saml
8. set IDP X.509 public cert from the cert in keycloak
   • click Realm Settings on the left in keycloak
   • click Keys at the top
   • under Public keys, click the top Certificate and copy the text
   • now paste in to IDP X.509 public cert in IPAM
9. set Authn X.509 signing cert to the Private Key of the keycloak client
   • Click Clients on the left menu in keycloak
   • click the client you set for PHPIPAM
   • click keys at the top
   • copy the Private Key and past into IPAM
10. set Authn X.509 signing cert key to the Certificate of the keycloak client
    • Click Clients on the left menu in keycloak
    • click the client you set for PHPIPAM
    • click keys at the top
    • copy the Certificate and past into IPAM
11. leave SAML username attribute blank
12. click Add

Published: 8 May 2022 by Matt Horwood