diff --git a/packages/noco-docs/docs/140.account-settings/040.authentication/010.overview.md b/packages/noco-docs/docs/140.account-settings/040.authentication/010.overview.md index 80e44e1e2e..8f9c80df6d 100644 --- a/packages/noco-docs/docs/140.account-settings/040.authentication/010.overview.md +++ b/packages/noco-docs/docs/140.account-settings/040.authentication/010.overview.md @@ -33,6 +33,7 @@ Please follow the details in the article below to integrate with various popular 2. [Auth0](SAML-SSO/auth0) 3. [Ping Identity](SAML-SSO/ping-identity) 4. [Active Directory](SAML-SSO/azure-ad) +5. [Keycloak](SAML-SSO/keycloak) ### OpenID Connect (OIDC) The OpenID Connect (OIDC) protocol is a modern authentication layer built on top of the OAuth 2.0 framework, designed to address user authentication and authorization challenges in web and mobile applications. OIDC provides a standardized and secure way for applications to verify the identity of end-users. Leveraging JSON Web Tokens (JWTs), OIDC enables the exchange of user identity information between the identity provider (IdP) and the Service provider, typically a web application. diff --git a/packages/noco-docs/docs/140.account-settings/040.authentication/030.SAML-SSO/050.keycloak.md b/packages/noco-docs/docs/140.account-settings/040.authentication/030.SAML-SSO/050.keycloak.md new file mode 100644 index 0000000000..98249f00bd --- /dev/null +++ b/packages/noco-docs/docs/140.account-settings/040.authentication/030.SAML-SSO/050.keycloak.md @@ -0,0 +1,59 @@ +--- +title: 'Keycloak' +description: 'Learn how to configure Keycloak as an identity provider for NocoDB.' +tags: ['SSO', 'Keycloak', 'SAML'] +keywords: ['SSO', 'Keycloak', 'SAML', 'Authentication', 'Identity Provider'] +--- + +This article briefs about the steps to configure Keycloak as Identity service provider for NocoDB + +### NocoDB, Retrieve `SAML SSO` Configuration details +1. Go to `Account Settings` +2. Select `Authentication (SSO)` +3. Click on `New Provider` button +4. On the Popup modal, Specify a `Display name` for the provider; note that, this name will be used to display the provider on the login page +5. Retrieve `Redirect URL` & `Audience / Entity ID`; these information will be required to be configured later with the Identity Provider + +![SAML SSO Configuration](/img/v2/account-settings/SSO-1.png) +![SAML SSO Configuration](/img/v2/account-settings/SAML-2.png) +![SAML SSO Configuration](/img/v2/account-settings/SAML-3.png) + + +### Keycloak, Configure NocoDB as an Application +1. Access your Keycloak account + - navigate to `Clients` menu + - select `Clients list` tab > Click `Create client` button. +2. In the `Create Client` modal, `General Settings` tab: + - Select `SAML` as the `Client type` + - Specify `Audience/Entity ID` retrieved from NocoDB as the `Client ID` + - Click `Next` +3. In the `Create Client` modal, `Login Settings` tab, + - Specify `Redirect URL` retrieved from NocoDB as the `Valid Redirect URIs` + - Specify `Redirect URL` retrieved from NocoDB as the `Valid post logout redirect URIs` + - Click `Save` +4. On the `Client details`, `Settings` tab, + - navigate to `SAML Capabilities` section + - Specify `Name ID format` as `email` + - Enable `Force Name ID Format` and `Force POST Binding` + - navigate to `Signature and Encryption` section + - Enable `Sign Assertions` + - Click `Save` +5. On the `Client details`, `Keys` tab, + - Disable `Signing keys config` > `Client Signature Required` +6. Navigate to `Realm Settings` > `Endpoints` + - Copy `SAML 2.0 Identity Provider Metadata` URL + +### NocoDB, Configure Azure AD as an Identity Provider +1. Go to `Account Settings` > `Authentication` > `SAML` +2. Insert `Metadata URL` retrieved in step above; alternatively you can configure XML directly as well +3. `Save` + +![SAML SSO Configuration](/img/v2/account-settings/SAML-4.png) + +For Sign-in's, user should be able to now see `Sign in with ` option. + +![SAML SSO Configuration](/img/v2/account-settings/SSO-SignIn.png) + +:::note +Post sign-out, refresh page (for the first time) if you do not see `Sign in with ` option +:::