Introduction

Joget is a low-code no-code rapid application development platform, It’s unique plugin architecture allows one to extend its functionality to any level. Integration with external directory services is one of the key features.  SAML is a general API that most of the directory platforms use to enable SSO. 

Single Sign-On means you can use the authentication from an external platform, It is a really great feature for any Enterprise, While using multiple applications they don’t require their end-user to remember multiple passwords for multiple platforms. 

This plugin source code is available in a new open source repository at https://github.com/jogetoss/. JogetOSS is a community-led team for open source software related to the Joget no-code/low-code application platform. Projects under JogetOSS are community-driven and community-supported, and you are welcome to contribute to the projects.



Keycloak
Keycloak is one of the Directory service providers that have the ability to connect to multiple directory services, It can also work as an Identity Provider.


Integration 

Joget allows integration with any platform using SAML with help of SAML plugin which can be downloaded from the marketplace. Download the plugin and install the plugin in the manage plugins section.

https://marketplace.joget.org/jw/web/userview/mp/mpp/_/vad?id=wflow-saml-v5

Once you install the plugin, You need to whitelist the external API call so SAML API can be accessed from the end-users browser.




Plugin Configuration

Once you install the plugin you can enable the directory manager configuration to use SAML authentication. 

Open settings-> Directory Manager Settings-> Select Plugin-> Choose SAML Directory Manager - 6.0.1



SAML Directory Configuration setting screen will open. You will be required to copy the SAML API URL.  This is required to create a client in the Keycloat.


IDP Certificates need to be copied from the admin console of the keycloak. Open your KeyCloak admin console->Realm Settings ->Keys Tab -> Click on the Certificate RSA 256 Key.



Paste this value in the IDP Certificate field.

User Provisioning Enabled checkbox will allow Joget to authenticate users who are not in joget directory manager. It will also create an account in joget. 

Configure other settings as per your industry requirements. 


KeyCloak Configuration

Creating a client in Keycloak will enable the SSO from the keycloak application. 

Open the Keycloak admin console -> Clients-> Create 



Please use the following configuration


Client ID: SAML JOGET API URL
Name: Optional 

Description: Optional 

Enabled: ON

Consent Required: OFF

Login Theme: Optional 

Client Protocol: SAML

Include AuthnStatement: ON

Include OneTimeUse Condition : OFF

Sign Documents: OFF

Sign Assertions: ON

Signature Algorithm: RSA_SHA256

SAML Signature Key Name: CERT_SUBJECT

Canonicalization Method: EXCLUSIVE

Encrypt Assertions: OFF

Client Signature Required: OFF

Force POST Binding: OFF

Front Channel Logout: OFF

Force Name ID Format: ON

Name ID Format: username

Root URL: EMPTY

 Valid Redirect URIs: https://joget-Server-URL/jw 

Base URL: EMPTY

Master SAML Processing URL:   SAML JOGET API URL 

IDP Initiated SSO URL Name:  SAML JOGET API URL





To test configuration, you can copy the target IDP initiated SSO URL and paste it in incognito mode of browser and login to keycloak, If all is good you will be redirected to Joget home page with login.

The final configuration is the configure the fields.

Open the Mapper tab on the client configuration.  Add the Built-in mappings




You need to define the names for each option so joget will be able to handle the values


Mapping Name

SAML Attribute Name

X500 surname

User.LastName

X500 givenName

User.FirstName

X500 email

email



Final Tweaks 

To make it easier for your user to access the keycloak login page, You can add an option in your joget Login screen to open the KeyCloak Authentication Page.

Open your AppCenter in userview builder-> Settings-> Login Page UI -> Add the Custom HTML under the login form.






  • No labels