Keycloak

Configure Keycloak as an Identity Provider for CISO Assistant

If Keycloak and CISO Assistant are both deployed locally with docker, you'll need to make sure that both containers can communicate together. You can do this with a bridge network.

SAML

Go into your Keycloak admin console

1. Open the sidebar menu > Clients and Create client

   
2. Choose SAML client type and name it ciso-assistant or with your custom SP Entity ID

   
3. Fill the Home URL with your <base_url> and Valid redirect URIs with <backend_url/*>

   

   If you have some problems to configure these urls you can ask for help on Discord or by emailing us

4. Go into Keys and disable Signing keys config

   
5. Go into Advanced and fill ACS field with <backend_url/api/accounts/saml/0/acs/> (on a cloud instance it is simply <base_url/api/accounts/saml/0/acs/>)

   
6. Go to Client scopes and click on ciso-assistant-dedicated

   
7. Add a predefined mapper and check all X500 ones

   
8. Click on X500 surname and replace SAML Attribute name with http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

   
9. Click on X500 givenName and replace SAML Attribute name with http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

   

10. Go into Realm settings > General, you will find the Metadata URL

    
11. You'll find inside the Metadata URL the Entity ID

    

OpenID Connect (OIDC)

OIDC support has not been released yet. You can track our progress on this Pull Request: https://github.com/intuitem/ciso-assistant-community/pull/2131

Go into your Keycloak admin console

1. Open the sidebar menu > Clients and Create client

   
2. Choose OpenID Connect client type and give it a Client ID, then click Next

3. Enable Client authentication, make sure Standard flow is selected, then click Next

4. Enter your deployment's Root URL. It is the URL of your frontend.

   1. Set it to <frontend_url>

   2. For cloud deployments, you must set it to <base_url>

5. Set the Home URL to /

6. Enter your Valid redirect URIs

   1. Set it to <backend_url>/api/accounts/oidc/openid_connect/login/callback/

   2. For cloud deployments, you must set it to <base_url>/api/accounts/oidc/openid_connect/login/callback/

      
7. Once your client is created, you can find its Client secret under the Credentials tab. You can copy it from there

   
8. Go into Realm settings > General to find the OpenID Endpoint Configuration, which you will have to paste into CISO Assistant's Server URL SSO parameter

   

Adding a user in your application doesn't automatically create the user on CISO Assistant

You can now configure CISO Assistant with the parameters you've retrieved.