Keycloak

Configure Keycloak as an Identity Provider for CISO Assistant

If Keycloak and CISO Assistant are both deployed locally with docker, you'll need to make sure that both containers can communicate together. You can do this with a bridge network.

SAML

Go into your Keycloak admin console

1. Open the sidebar menu > Clients and Create client

   
2. Choose SAML client type and name it ciso-assistant or with your custom SP Entity ID

   
3. Fill the Home URL with your <base_url> and Valid redirect URIs with <backend_url/*>

   

   If you have some problems to configure these urls you can ask for help on Discord or by emailing us

4. Go into Keys and disable Signing keys config

   
5. Go into Advanced and fill ACS field with <backend_url/api/accounts/saml/0/acs/> (on a cloud instance it is simply <base_url/api/accounts/saml/0/acs/>)

   
6. Go to Client scopes and click on ciso-assistant-dedicated

   
7. Add a predefined mapper and check all X500 ones

   
8. Click on X500 surname and replace SAML Attribute name with http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

   
9. Click on X500 givenName and replace SAML Attribute name with http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

   

10. Go into Realm settings > General, you will find the Metadata URL

    
11. You'll find inside the Metadata URL the Entity ID

    

OpenID Connect (OIDC)

Adding a user in your application doesn't automatically create the user on CISO Assistant

You can now configure CISO Assistant with the parameters you've retrieved.