Keycloak
This guide walks you through using Keycloak as the SAML identity provider for Harness. This allows Keycloak users to log in to Harness with their existing credentials.
If you use Harness Self-Managed Enterprise Edition, your instance must be accessed via an HTTPS load balancer, otherwise SAML authentication will fail over HTTP.
What will you learn in this topic?
By the end of this topic, you will be able to:
- Set up a Keycloak SAML client.
- Configure Harness to use Keycloak SAML client as an SSO provider.
- Enable group-based authorization.
Before you begin
Before you configure Keycloak as the SAML identity provider for Harness, check that you have:
- A Harness account with Account Admin permissions.
- An existing Keycloak instance with admin access to create and configure SAML clients.
Just-in-Time (JIT) provisioning
Harness supports SAML configuration with or without JIT user provision. Review Just-In-Time (JIT) to understand how Harness creates users on first SAML login when JIT is enabled.
Without JIT, follow the steps below to add new users:
- In Harness, add the users you want to set up for SAML SSO by inviting them to Harness using the same email addresses that they use in your SAML provider.
- In Keycloak, add the users and make sure they are in scope for the client you create in the configuration steps below.
With JIT, you add users to Keycloak, and they are automatically added to Harness on first successful SAML login.
Set up a client in Keycloak
To register Harness as a SAML service provider in Keycloak, follow the steps below:
-
Sign in to the Keycloak admin console.
-
Switch to your target Realm, then select Clients.
The General Settings page appears.
-
Select Create client. Set Client type to SAML and Client ID to
app.harness.io, then select Next.
Replace <YOUR ACCOUNT ID> with your Harness account ID.
- Root URL:
https://app.harness.io/ - Home URL:
https://app.harness.io/ng/account/<YOUR ACCOUNT ID>/main-dashboard - Valid post logout redirect URIs:
https://app.harness.io/ng/account/<YOUR ACCOUNT ID>/main-dashboard - Master SAML processing URL:
https://app.harness.io/gateway/api/users/saml-login?accountId=<YOUR ACCOUNT ID>
- Click Save.
If your Harness account uses a vanity URL, replace https://app.harness.io with your base URL in every field above. Example ACS URL shape: https://<your-vanity-host>/gateway/api/users/saml-login?accountId=<YOUR ACCOUNT ID>.
Configure client settings
Apply the following settings on the client you just created.
-
Under Settings tab, navigate to Signature and Encryption section, and enter the following values:
- Name ID format:
email - Force POST binding: On
- Include AuthnStatement: On
- All other toggles in this block: Off
- Name ID format:
-
Under Settings, open Signature and encryption and set:
- Sign documents: On
- Sign assertions: On
- Signature algorithm:
RSA_SHA256 - SAML signature key name:
NONE - Canonicalization method:
EXCLUSIVE
-
Under the Keys tab, set 'Client signature required' to Off.
-
Open the Advanced tab, then Fine grain SAML endpoint configuration. Set 'Assertion consumer service POST binding URL' to
https://app.harness.io/gateway/api/users/saml-login?accountId=<YOUR ACCOUNT ID>(or the same path on your vanity host). -
Click Save.
Download IdP metadata for Harness
Harness imports Keycloak as an IdP from a metadata XML file.
-
In the left nav, under Configure, select Realm settings.
-
In the Endpoints section, select SAML 2.0 Identity Provider Metadata. A new tab opens with XML data.
-
Save that document as an
.xmlfile. Upload this file when you add the provider in Harness.
Optional: Add group membership in SAML
To automatically sync group memberships in Harness based on group memberships in Keycloak, perform the following steps:
-
Under Manage tab, select Clients.
-
Select your newly-created Client, and then select the Client Scopes tab.
-
In the first row, select the value in the Assigned client scope field.
-
Select Mappers tab, and then select Configure a new mapper.
-
Select Group list and configure the following settings:
- Name: grouplist
- Group attribute name: member
- SAML Attribute NameFormat: Basic
- Single Group Attribute: On
- Full group path: Off
-
Select Save.
Set up Keycloak SAML SSO in Harness
Once you have the client set up in Keycloak, configure and enable Keycloak as an SAML provider in Harness. This way, Keycloak users can use the same credentials to sign in to Harness.
-
In your Harness account, go to Account Settings, and then select Authentication.
-
In Identity Provider metadata XML downloaded from your app (Optional), select Upload, then select the XML file you added when you set your Keycloak configuration steps.
-
Select + SAML Provider, then enter the following values:
- Name: Keycloak
- Select an SAML Provider: Other
- Enable Authorization: Enable if you want to automatically sync group memberships in Harness based on group memberships in Keycloak
- Group Attribute Name: member (only available if Enable Authorization is selected)
- Add Entity Id: Enabled
- Entity Id: app.harness.io
- Enable JIT Provisioning: Enable if Just In Time user provisioning is desired
-
Select Add.
You should see the new provider under Login via SAML; you might need to expand this section using the arrow on the right-hand side of the screen..
Enable and test SSO
Enable your SSO configuration and verify users can authenticate successfully by following the steps below:
- Under Account Settings in Harness, select Authentication, and then open Login via SAML for the Keycloak provider.
- In the Enable SAML provider dialog, select Test so Harness validates the exchange.
- When the test passes, Harness shows SAML test successful banner at the top.
- Select Confirm to enable the provider for sign-in.
Related articles
- SAML SSO with Okta - Create an SAML integration in Okta for Harness.
- SAML SSO with Microsoft Entra ID - Configure Microsoft Entra ID as a SAML SSO provider in Harness.
- SAML SSO with OneLogin - Configure OneLogin as a SAML SSO provider in Harness.
- Advanced SAML configuration - Configure advanced SAML options in Harness.