eliott/authentik
1
0
Fork 0
mirror of https://github.com/goauthentik/authentik synced 2026-04-30 11:27:15 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
e7fcfb7e67d5df3e8a8a5da170f18fa4c6b98731
authentik/website/docs/users-sources/sources/social-logins/keycloak/index.md
Teffen Ellis 6ed5cb5249 website/docs: Modal and wizard button labels (#21549) 
* website/integrations: rename "Create with Provider" to "New Application"

The application list page now uses a split-button labeled
"New Application" instead of the old "Create with Provider" dropdown.
Update all 113 integration guides to match.

* website/docs: update flow, stage, and policy button labels

- "Create" → "New Flow", "New Stage", "New Policy" for trigger buttons
- "Finish" → "Create Flow", "Create Stage", "Create Policy" for submit
- "Create and bind stage" → "New Stage" / "Bind Existing Stage"
- "Create" (binding submit) → "Create Stage Binding"

* website/docs: update provider button labels

- "Create" → "New Provider" for trigger buttons
- "Create with Provider" → "New Application" in RAC docs
- "Create" → "New Property Mapping", "New RAC Endpoint", "New Prompt"
  for related entity creation

* website/docs: update directory button labels

- "Create" → "New Source" for federation/social login pages
- "Create" → "New Role", submit → "Create Role"
- "Create" → "New Invitation"
- Policy binding submit → "Create Policy Binding"

* website/docs: update endpoint device and system management button labels

- "Create" → "New Endpoint Connector", "New Enrollment Token",
  "New Device Access Group", "New Flow"
- Submit → "Create Device Access Group"
- "Create" → "New Notification Rule", "New Notification Transport"
- Binding submit → "Create Policy Binding"

* Reorganize policy documentation

* website/docs: address policy docs review feedback

* post-rebase

* website/docs: Reorganize policy documentation -- Revisions (#21601)

* apply suggestions

* Fix escaped.

* Fix whitespace.

* Update button label.

* Fix phrasing.

* Fix phrasing.

* Clean up stragglers.

* Format.

---------

Co-authored-by: Dominic R <dominic@sdko.org>
2026-04-16 17:35:38 +00:00

5.4 KiB
Raw Blame History

title, tags
title tags
Keycloak
source
keycloak
saml

Allows users to authenticate using their Keycloak credentials by configuring Keycloak as a federated identity provider via SAML.

Preparation

The following placeholders are used in this guide:

  • authentik.company is the FQDN of the authentik installation.
  • keycloak.company is the FQDN of the Keycloak installation.
  • keycloak-slug is the slug you will assign to the SAML source in authentik (e.g., keycloak).

Export certificates

Before configuring either service, you need to export the signing certificates from both Keycloak and authentik. Each service needs the other's public certificate to verify signatures and handle SAML encryption.

Export the Keycloak signing certificate

  1. Log in to Keycloak as an administrator.
  2. Navigate to Realm settings > Keys.
  3. Find the RSA key with Use set to SIG.
  4. Click Certificate to copy the certificate value.
  5. Save the certificate in the following format:
-----BEGIN CERTIFICATE-----
<Copied Keycloak Public Key Certificate Content>
-----END CERTIFICATE-----

Export the authentik signing certificate

  1. Log in to authentik as an administrator and open the authentik Admin interface.
  2. Navigate to System > Certificates.
  3. Click the certificate you plan on using for signing (e.g., the default authentik Self-signed Certificate).
  4. Click Download Certificate.

Keycloak configuration

Create a SAML client in Keycloak

  1. Log in to Keycloak as an administrator.
  2. Navigate to Clients and click Create client.
  3. Configure the client with the following settings:
    • Set Client type to SAML.
    • Set Client ID to https://authentik.company/source/saml/<keycloak-slug>/metadata/.
  4. Click Next.
  5. Configure the following settings:
    • Set Valid redirect URIs to https://authentik.company/source/saml/<keycloak-slug>/acs/.
    • Set Master SAML Processing URL to https://authentik.company/source/saml/<keycloak-slug>/acs/.
    • Set Root URL to https://authentik.company.
  6. Click Save.

Configure signing and encryption

  1. Navigate to the Settings tab and scroll to Signature and Encryption.
  2. Configure the following settings:
    • Enable Sign documents.
    • Enable Sign assertions.
    • Enable Encrypt assertions.

Upload the authentik certificate to Keycloak

  1. In the Keycloak Admin console, navigate to Clients and click the SAML client you created earlier.
  2. Navigate to the Keys tab.
  3. Configure the following settings:
    • Enable Client signature required.
    • Click Import and upload the authentik certificate you exported earlier. This allows Keycloak to verify signatures on requests from authentik.
    • Enable Encrypt assertions.
    • Click Import under the encryption key and upload the authentik certificate.

authentik configuration

Upload the Keycloak certificate to authentik

  1. Log in to authentik as an administrator and open the authentik Admin interface.
  2. Navigate to System > Certificates and click Import.
  3. Give it a name like Keycloak Signing Certificate.
  4. Paste the Keycloak certificate you exported earlier into the Certificate field.
  5. Leave the Private Key field empty.
  6. Click Create.

Create a SAML source in authentik

  1. Navigate to Directory > Federation and Social login and click New Source.
  2. Select SAML Source and configure the following settings:
    • Set Name to Keycloak.
    • Set Slug to keycloak.
    • Set SSO URL to https://keycloak.company/realms/<realm-name>/protocol/saml.
    • Set SLO URL to https://keycloak.company/realms/<realm-name>/protocol/saml.
    • Set Issuer to https://authentik.company/source/saml/<keycloak-slug>/metadata/.
    • Set Service Provider Binding to Post (Auto-Submit).
    • Set Signing Keypair to an authentik certificate (e.g., the default authentik Self-signed Certificate).
    • Set Verification Certificate to the Keycloak certificate you uploaded earlier.
    • Enable Verify assertion signature.
    • Enable Verify response signature.
    • Set Encryption Certificate to an authentik certificate (e.g., the default authentik Self-signed Certificate).
  3. Click Finish.

:::info Display new source on login screen For instructions on how to display the new source on the authentik login page, refer to the Add sources to default login page documentation. :::

:::info Embed new source in flow :ak-enterprise For instructions on embedding the new source within a flow, such as an authorization flow, refer to the Source Stage documentation. :::

Troubleshooting

  • Signature verification failed: Ensure the correct certificates are configured on both sides. Each side needs the other's signing certificate for verification.
  • Encryption errors: Ensure the encrypting party has the other party's public certificate, and the decrypting party has their own private key.

Resources

Reference in New Issue View Git Blame Copy Permalink