3

I imported this PHP project into Eclipse (master branch; the contents of the demo1 folder).

Goal: I want to integrate a login SSO demo in PHP using Keycloak with SAML.

First of all, is it possible for Keycloak to be used as an Identity Provider (IDP) and a PHP application as a Service Provider (SP)?

I have already configured a settings file and Keycloak's configuration. But I have not added a client-id anywhere in my Eclipse project; I don't know where to add it!

<?php
    
$spBaseUrl = 'http://localhost:8080'; //or http://<your_domain>
    
//The ACS URL is a combination of the Secure Token Server subsystem address, its port number for handling SAML messages, the SAML binding,
//and any necessary information that is specific for CIC or ICWS.


$settingsInfo = array(
    'sp' => array(
        'entityId' => $spBaseUrl.'/demo1/metadata.php',
        'assertionConsumerService' => array(
            'url' => $spBaseUrl.'/demo1/index.php?acs',
        ),
        'singleLogoutService' => array(
            'url' => $spBaseUrl.'/demo1/index.php?sls',
        ),
        'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
    ),
    'idp' => array(
        'entityId' => 'http://localhost:8080/auth/realms/Lifetrenz',
        'singleSignOnService' => array(
            'url' => 'http://localhost:8080/auth/realms/Lifetrenz/protocol/saml',
        ),
        'singleLogoutService' => array(
            'url' => 'http://localhost:8080/auth/realms/Lifetrenz/protocol/saml',
        ),
        'x509cert' => 'MIICoTCCAYkCBgF0eK4PUzANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlMaWZldHJlbnowHhcNMjAwOTEwMTU0MDA3WhcNMzAwOTEwMTU0MTQ3WjAUMRIwEAYDVQQDDAlMaWZldHJlbnowggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmHuIp66rwzd8pkm8nQ/PfMt6JUKu1VvkgrSpmMKkYcnbyWzMkOXV96VQBQLfMFZ+7OQlmGreCVASjjNaNhnDwF2KUU+CzJDdxAD8fj2DfGKsaiR5mZLlld5Fxl2dQ7Vn97gMRz7tb/+pW1Ih0ckYSGQwe4frWUZJxahZRUXtsJkj14pSib8u2J7BRJgrDhQMDFHAL1eyPZxKsXFdH6eB2FtWEJE90Zy6cshe5xFd+fMFY2vCPrbGH9FmcRjq004XQ9QdbL52paCnKoK2Vh7zwi80IXxjt8STUyf9Qnllzsmn37EFS8ZOzWoSy9dwqdHpF6BICBBYZZ2HIHCNXA1E9AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAnvVLS5Tk5cE6e4IO3FwVbAvnHFi3nFHipnIqmfHf63Gy25b/mCtVZ9tDSA2tGCyULB0Zeq4B518/GJo0423lMw/R0dTkQnXuDPZc8O7MQbNg2fnNqNiamsv21RhDp3r998Un9MrniCuR1+vZyYy2urdLfF/BvvWVpVWtHvXgT1VI5lzy+WBJM08FO6rHdHiqVgWLf+xxXunaQA5gcno2Af6XzPsIHTFok6VviBZqJ6vqXwITfb9S4zwcqr0rgqeqGJ6w7qPZeC9UZw0EjtUqnjrnDZ6PxXjCXMdy4PXN0kEls1jMvbTS+LIlR1K3RlfXW0/K6Z8Ge/c+WAN+yXS30=',
    ),
);

But when I hit index.php, and when it redirects to the Keycloak login provider page, I'm getting "Unknown login requester".

Obviously, because I have not configured a Keycloak client-id!

deduper
  • 1,944
  • 9
  • 22
  • https://packagist.org/packages/acsystems/keycloak-php-sdk or https://github.com/MohammadWaleed/keycloak-admin-client. Just search `keycloak php sdk` – Jackson Oct 09 '20 at 09:58
  • @Jackson Already tried all github repo n all, not working / worth it because I want with SAML, not open-id connect, And that repo is with open-id connect –  Oct 09 '20 at 16:03

1 Answers1

3

Client ID in Keycloak needs to be equal to entityId in your site/metadata.

It means you need to configure your Keycloak (Clients section) to be in sync with your metadata. If your entityId is the metadata URL, your Keycloak Client ID need to be the same URL.

Official guide: https://www.keycloak.org/docs/latest/server_admin/#saml-clients

Leonid Shumakov
  • 1,319
  • 10
  • 7
  • Some of my doubts that are not cleared: Is there any other third party IDP/SP is required except PHP Code and Keycloak configuration? like SimpleSAMLPhp? Okta or something? or Is it possible for Keycloak to be used as an IDP and a PHP application as an SP? –  Oct 10 '20 at 16:07
  • As you said Keycloak is your IDP, your application with php-saml is SP. They can and will work if configurations are in sync. Because both parties have their own security validations. All you need to do here is to properly configure both pieces. – Leonid Shumakov Oct 10 '20 at 17:34
  • If possible, please check with this https://github.com/onelogin/php-saml/tree/master/demo1 , I mentioned same in question as well, the thing is where to use client-id? –  Oct 10 '20 at 18:01
  • Do you have a Keycloak site? Did you configure it using your test site metadata? – Leonid Shumakov Oct 12 '20 at 16:17
  • I run Keycloak locally. Metadata is already there in the example demo. Ans settings file I configured. –  Oct 12 '20 at 16:41
  • Ok, $settingInfo has `sp` section with `entityId` field. That entityId is a value you need to put into your Keycloak instance (Client -> Edit Client -> Client ID). – Leonid Shumakov Oct 12 '20 at 16:55
  • This [ http://localhost:8080 ] I gave, this is a keycloak Deshboard URL only. –  Oct 12 '20 at 17:02
  • Demo site, demo's metadata (and settings) is the first piece. The second step is to configure your Keycloak instance (not your demo site) by following Keycloak's guide: https://www.keycloak.org/docs/latest/server_admin/#saml-clients Once you confirm both sites are properly configured, the connection will work. – Leonid Shumakov Oct 12 '20 at 17:14
  • LeonidShumakov: „*…to be in sync with your metadata…*“ — @SychiSingh: „…Metadata is already there in the example demo…“ — LeonidShumakov: „*…Did you configure it using your test site metadata?…*“ — When you two say „*metadata*“, I assume you ***both*** mean [*this `metadata.php` page*](https://github.com/onelogin/php-saml/blob/master/demo1/metadata.php)? Right? So LeonidShumakov, what ***specifically*** does the asker need to do with the *`metadata.php`* page? Does „*configure it*“ mean copy/paste the contents of the entire file? Just a specific line of the file? Which line? It's not clear. – deduper Oct 13 '20 at 01:11
  • I already mentioned it several times. The asker need to ensure that entityId field in metadata.php is equal to ClientID in Keycloak site (Clients section). I provided a link to the official guide how to configure Keycloak. As far as I see, the asker does not need to do anything with demo's metadata.php. The asker need to login as admin into Keycloak, open Clients section, edit an existing Client, and ensure that Client ID there is equal to the value in demo's metadata.php. – Leonid Shumakov Oct 13 '20 at 07:24
  • So I need to purchase new domain just for making this demo? –  Oct 18 '20 at 16:34