|
|
|
|
---
|
|
|
|
|
title: 'Keycloak'
|
|
|
|
|
description: 'Learn how to configure Keycloak as an identity provider for NocoDB.'
|
|
|
|
|
tags: ['SSO', 'Keycloak', 'SAML']
|
|
|
|
|
keywords: ['SSO', 'Keycloak', 'SAML', 'Authentication', 'Identity Provider']
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
:::warning
|
|
|
|
|
SSO is available under private beta for self hosted enterprise customers. Please reach [**out to us**](https://calendly.com/nocodb) for early access.
|
|
|
|
|
:::
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This article briefs about the steps to configure Keycloak as Identity service provider for NocoDB
|
|
|
|
|
|
|
|
|
|
### NocoDB, Retrieve `SAML SSO` Configuration details
|
|
|
|
|
1. Go to `Account Settings`
|
|
|
|
|
2. Select `Authentication (SSO)`
|
|
|
|
|
3. Click on `New Provider` button
|
|
|
|
|
4. On the Popup modal, Specify a `Display name` for the provider; note that, this name will be used to display the provider on the login page
|
|
|
|
|
5. Retrieve `Redirect URL` & `Audience / Entity ID`; these information will be required to be configured later with the Identity Provider
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### Keycloak, Configure NocoDB as an Application
|
|
|
|
|
1. Access your Keycloak account
|
|
|
|
|
- navigate to `Clients` menu
|
|
|
|
|
- select `Clients list` tab > Click `Create client` button.
|
|
|
|
|
2. In the `Create Client` modal, `General Settings` tab:
|
|
|
|
|
- Select `SAML` as the `Client type`
|
|
|
|
|
- Specify `Audience/Entity ID` retrieved from NocoDB as the `Client ID`
|
|
|
|
|
- Click `Next`
|
|
|
|
|
3. In the `Create Client` modal, `Login Settings` tab,
|
|
|
|
|
- Specify `Redirect URL` retrieved from NocoDB as the `Valid Redirect URIs`
|
|
|
|
|
- Specify `Redirect URL` retrieved from NocoDB as the `Valid post logout redirect URIs`
|
|
|
|
|
- Click `Save`
|
|
|
|
|
4. On the `Client details`, `Settings` tab,
|
|
|
|
|
- navigate to `SAML Capabilities` section
|
|
|
|
|
- Specify `Name ID format` as `email`
|
|
|
|
|
- Enable `Force Name ID Format` and `Force POST Binding`
|
|
|
|
|
- navigate to `Signature and Encryption` section
|
|
|
|
|
- Enable `Sign Assertions`
|
|
|
|
|
- Click `Save`
|
|
|
|
|
5. On the `Client details`, `Keys` tab,
|
|
|
|
|
- Disable `Signing keys config` > `Client Signature Required`
|
|
|
|
|
6. Navigate to `Realm Settings` > `Endpoints`
|
|
|
|
|
- Copy `SAML 2.0 Identity Provider Metadata` URL
|
|
|
|
|
|
|
|
|
|
### NocoDB, Configure Azure AD as an Identity Provider
|
|
|
|
|
1. Go to `Account Settings` > `Authentication` > `SAML`Key
|
|
|
|
|
2. Insert `Metadata URL` retrieved in step above; alternatively you can configure XML directly as well
|
|
|
|
|
3. `Save`
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
For Sign-in's, user should be able to now see `Sign in with <SSO>` option.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
:::note
|
|
|
|
|
Post sign-out, refresh page (for the first time) if you do not see `Sign in with <SSO>` option
|
|
|
|
|
:::
|
