This document provides technical instructions for the installation and configuration of Samleikin
.
A repository containing relevant information from Klintra is available at https://bitbucket.org/klintra-ft/sp-demo/src/master/.
- A signed agreement with Talgildu Føroyar.
- A PKCS#12 bundle obtained from Elektron.
- An operational and internet-accessible Keycloak 24 instance.
Extract the private key and certificate(s) from the PKCS#12 bundle into separate files using Keystore Explorer
.
- Realm settings -> General -> Unmanaged Attributes:
Enabled
- Realm settings -> Keys -> Add providers -> Delete all providers of provider type:
rsa-generated
,rsa-enc-generated
,rsa
andrsa-enc
if they exist - Realm settings -> Keys -> Add providers -> Add provider ->
rsa
-> Drag your private key file toPrivate RSA Key
and the certificates file toX509 Certificate
-> Save - Realm settings -> Keys -> Add providers -> Add provider ->
rsa-enc
-> Drag your private key file toPrivate RSA Key
and the certificates file toX509 Certificate
-> Save - Realm settings -> User profile ->
email
-> Required field:Off
- Realm settings -> User profile ->
firstName
-> Required field:Off
- Realm settings -> User profile ->
lastName
-> Required field:Off
- Authentication -> Flows -> Create flow
- Name:
create user
- Flow type:
Basic flow
- Create
- Add execution ->
Create user if unique
-> Add Create user if unique
-> Requirement:Alternative
- Identity providers -> Add provider -> SAML v2.0
- Alias:
samleikin
- Display name:
Samleikin
- Service provider entity ID:
https://[KEYCLOAK_URL]/realms/samleikin
- Identity provider entity ID:
https://innrita.staging.samleiki.fo/idp/shibboleth
- Single Sign-On service URL:
https://innrita.staging.samleiki.fo/idp/profile/SAML2/Redirect/SSO
- Single logout service URL:
https://innrita.staging.samleiki.fo/idp/profile/SAML2/Redirect/SLO
- Identity provider entity ID:
https://innrita.samleiki.fo/idp/shibboleth
- Single Sign-On service URL:
https://innrita.samleiki.fo/idp/profile/SAML2/Redirect/SSO
- Single logout service URL:
https://innrita.samleiki.fo/idp/profile/SAML2/Redirect/SLO
- Backchannel logout:
Off
- Send 'id_token_hint' in logout requests:
On
- Send 'client_id' in logout requests:
Off
- NameID policy format:
Persistent
- Principal type:
Subject NameID
- Allow create:
On
- HTTP-POST binding response:
On
- HTTP-POST binding for AuthnRequest:
Off
- HTTP-POST binding logout:
Off
- Want AuthnRequests signed:
On
- Signature algorithm:
RSA_SHA256
- SAML signature key name:
KEY_ID
- Want Assertions signed:
On
- Want Assertions encrypted:
On
- Encryption Algorithm:
RSA-OAEP
- Force authentication:
Off
- Validate Signatures:
On
- Use metadata descriptor URL:
Off
- Validating X509 certificates:
[SAMLEIKIN_SIGNING_CERT]
- Sign service provider metadata:
Off
- Pass subject:
Off
- Allowed clock skew:
180
- Attribute Consuming Service Index:
0
- Comparison:
exact
- Store tokens:
Off
- Stored tokens readable:
Off
- Trust Email:
Off
- Account linking only:
Off
- Hide on login page:
Off
- First login flow override:
create user
- Post login flow:
None
- Sync mode: `Force
- Add/Save
- Identity providers -> Samleikin -> Mappers -> Add mapper
- Name:
givenName
- Sync mode override:
Inherit
- Mapper type:
Attribute importer
- Attribute Name:
urn:oid:2.5.4.42
- Friendly Name:
givenName
- Name Format:
ATTRIBUTE_FORMAT_URI
- User Attribute Name:
firstName
Repeat adding mappers for:
Name: sn
Attribute Name: urn:oid:2.5.4.4
Friendly Name: sn
User Attribute Name: lastName
Name: displayName
Attribute Name: urn:oid:2.16.840.1.113730.3.1.241
Friendly Name: displayName
User Attribute Name: displayName (Custom Attribute...)
Name: countryOfCitizenship
Attribute Name: urn:oid:1.3.6.1.5.5.7.9.4
Friendly Name: countryOfCitizenship
User Attribute Name: countryOfCitizenship (Custom Attribute...)
Name: dateOfBirth
Attribute Name: urn:oid:1.3.6.1.5.5.7.9.1
Friendly Name: dateOfBirth
User Attribute Name: dateOfBirth (Custom Attribute...)
Name: personalIdentityNumber
Attribute Name: urn:oid:1.2.208.189.1.2.1
Friendly Name: personalIdentityNumber
User Attribute Name: personalIdentityNumber (Custom Attribute...)
You must provide a metadata XML file to Samleikin.
Locate this file by navigating to: Identity providers -> Samleikin -> SAML 2.0 Service Provider Metadata