SSO AuthenticationSAML 2.0
Keycloak
Connect a separately-hosted Keycloak instance as an external SAML identity provider for Safeguard.
Keycloak
Use this to connect your own, separately-hosted Keycloak instance as an external IdP — distinct from the internal Keycloak Safeguard's auth service uses as its broker.
- In your organization's Keycloak admin console, select your realm, then go to Clients → Create client → SAML.
- Set Client ID to the SP Entity ID Safeguard shows after Save (this is the SP Entity ID), and set the Assertion Consumer Service POST Binding URL to the ACS URL Safeguard shows after Save.
- Under Realm Settings → General, copy the realm's SAML 2.0 endpoint and issuer, and export the realm's signing certificate.
- Set Name ID format to Email under the client's Advanced settings.
- Add a SAML Attribute mapper on the client with SAML attribute name
emailmapped to the user's email attribute — separate from the Name ID mapper above. - In Safeguard, click Add Provider → SAML 2.0 → Keycloak, and enter the endpoint, issuer (Entity ID), and certificate.
- Assign the client's role/group mappers to the users who should have access.
- Click Test in Safeguard to confirm.
Common errors: an "invalid_redirect_uri" error from Keycloak means the Callback URL wasn't added to the client's Valid Redirect URIs exactly as shown.