Skip to main content
Skip table of contents

Configuring Syteca integration with Keycloak SSO

Configuring Keycloak SSO

To set up Keycloak SSO (SAML 2.0) authentication so as to integrate it for use with the Syteca Management Tool, do the following:

  1. Log in to the Keycloak administrative console.

  2. In the upper left corner, click Manage realms.

  3. Click Create realm.

  4. Enter a name for the Realm and click Create.

image-20260415-031028.png
image-20260415-031116.png

  1. Configuring the LDAP Provider.
    To synchronize users from LDAP, you need to add an LDAP provider:

  2. Go to the User Federation section

    image-20260415-031404.png

  3. Click Add Ldap providers

    image-20260415-031623.png

  4. Next, fill in the required parameters:
    Connection and authentication settings:

Parameters

Values

Vendor

Active Directory

Connection URL

LDAP://<ldap-hostname-or-ip>, ex: LDAP://10.XXX.XXX.30

Connection pooling

OFF

Bind Type

simple

Bind DN

DN service user, ex: CN=Administrator,CN=Users,DC=ekran-5,DC=app

Bind Credential

Service user password

Use Truststore SPI

Always

image-20260415-032050.png
image-20260415-032227.png

LDAP searching and updating:

Parameters

Values

Edit mode

READ_ONLY

Users DN

DN, in which users are located, ex: CN=Users,DC=ekran-5,DC=app

Username LDAP attribute

cn

RDN LDAP attribute

cn

UUID LDAP attribute

objectGUID

User object classes

user

Search scope

Subtree

Pagination

OFF

image-20260415-032637.png

Synchronization settings:

Parameters

Values

Import Users

ON

Sync Registrations

ON

Periodic Full Sync

OFF 

Periodic Changed Users Sync

OFF

image-20260415-032932.png

Save LDAP Provider settings

  1. Configure LDAP Mapper for Distinguished Name (DN) synchronization
    To transfer a user's full DN from LDAP to Keycloak, you need to create a mapper.
    Navigate to:
    User Federation → LDAP provider → Mappers → Add mapper

image-20260415-033046.png

Let's create a mapper with the following parameters:

Parameters

Values

Name

ldap-dn-mapper

Mapper Type

user-attribute-ldap-mapper

User Model Attribute

dn

LDAP Attribute

distinguishedName

Read Only

ON

Always Read Value From LDAP

ON

Is Mandatory In LDAP

OFF

image-20260415-033226.png

Save the mapper.

  1. Check DN synchronization
    After configuration, we recommend checking that the distinguishedName attribute is synchronizing correctly:
    1. Go to the Users section.
    2.Open any user imported from LDAP.

    image-20260415-033430.png

    3.The Details tab should display the dn attribute with user and domain information (e.g. CN=User Name,OU=Users,DC=domain,DC=com)

    image-20260415-033519.png

  2. Setting up an Identity Provider (SAML v2.0)
    Adding a SAML Identity Provider:
    1. Go to the Identity Providers section

    image-20260415-033622.png

2. Select SAML v2.0

image-20260415-033708.png

To make the required fields available, you must disable the Use entity descriptor option.

image-20260415-033838.png

Fill in the following fields:

Parameters

Values

Service provider entity ID

https://<ip-or-hostname>/Syteca

Identity provider entity ID

https://<ip-or-hostname>:<port>/realms/<realmName> - use the URL of our Realm (ex: https://10.XXX.XXX.159:8443/realms/RealmTest )

Single Sign-On service URL

https://<ip-or-hostname>/Syteca/Account/ConsumeSSO/ - use the URL of Syteca MT

Single logout service URL

https://<ip-or-hostname>/Syteca/Account/SsoLoggedOut/

NameID policy format

Unspecified

Principal type

Subject NameID

image-20260415-034241.png
image-20260415-034303.png

Add using the Add button

  1. Export IdP Metadata XML
    To complete SAML configuration, you need to export the Realm metadata:
    1. Go to the Realm Settings section
    2. Open the General tab
    3. Click SAML 2.0 Identity Provider Metadata
    4.Save the file, for example: IdP_metadata.xml

image-20260415-034500.png

This file is used on the Service Provider in the Syteca Management Tool.

2.Creating a Client (Service Provider)

Go to the Clients section and create a new client:

  1. Click Create client

    image-20260415-034922.png

  2. In the General Settings section, fill in:
    General Settings

Parameters

Values

Client type

SAML

Client ID

https://<ip-or-hostname>/Syteca - use the URL of Syteca Management Tool

The remaining parameters can be left at default.

image-20260415-035242.png

Click Next

Login Settings

Parameter

Value

Valid redirect URIs

https://<ip-or-hostname>/Syteca/*

image-20260415-035449.png

Click Save

Checking SAML Capabilities
After saving, open the created Client (Service Provider) settings and check the parameters in the SAML capabilities section:

Parameters

Values

Force POST binding

ON

Include AuthnStatement

ON

image-20260415-035711.png

In the Signature and Encryption settings section, make the following settings:

image-20260415-035755.png

Configuring SAML Endpoints
Go to the Advanced tab of the client settings and fill in the endpoints:

image-20260415-035848.png

Parameters

Values

Assertion Consumer Service POST Binding URL

https://<ip-or-hostname>/Syteca/Account/ConsumeSSO

Logout Service POST Binding URL

https://<ip-or-hostname>/Syteca/Account/SingleLogout

image-20260415-035955.png

Save the changes.

Creating a SAML Attribute Mapper
To pass the user's DN (obtained from LDAP) to the SAML assertion, you need to create a mapper.
Navigate to:
Clients → our SAML Client → Client scopes

image-20260415-040111.png

If mappers have not been created previously, click Configure a new mapper

image-20260415-040322.png

If mappers already exist, select Add mapper → By configuration

image-20260415-040434.png

Then click on User Atributes

image-20260415-040527.png

We create a mapper with the following parameters:

Parameters

Values

Mapper Type

User Attribute

Name

dn-claim-mapper

User Attribute

dn

SAML Attribute Name

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dn

SAML Attribute NameFormat

URI Reference

The User Attribute value must exactly match the name of the attribute created earlier in LDAP Mapper (in our case dn).

image-20260415-040813.png

Save the mapper.

Setting up SSO Integration in the Syteca Management Tool.

In the SSO Integration settings in the Syteca Management Tool, fill in the following fields:

Parameters

Values

Issuer name

URL in the Syteca Management Tool ( for example, https://<ip-or-hostname>/Syteca)

Identity provider metadata (XML)

XML file (Save the XML on the Realm settings page - SAML 2.0 Identity Provider Metadata)

image-20260415-041254.png

Custom certificate

If we want to use a certificate generated by Keycloak

image-20260415-041335.png

SSO authentication is not currently implemented for use in Multi-Tenant mode.

Click Save to apply the changes.

Restart the EkranServer service in Services.

Using a Self-signed Certificate in the Syteca Management Tool
If you plan to use a self-signed certificate from MT, you must complete additional steps.
Step 1. Export the MT certificate:
In the SSO settings in MT:

  1. Fill in the required fields

  2. Click Download signing certificate

  3. Save the certificate (SsoCert.cer)

    image-20260415-041925.png

    Step 2. Converting the certificate to PEM format
    If the certificate was downloaded in DER format (.cer), convert it to PEM:

    BASH 
    openssl x509 -inform DER -in SsoCert.cer -out SsoCert.pem

Step 3. Import the certificate into Keycloak:

  1. Go to Clients → [our SAML client]

  2. Open the Keys tab

  3. Click Import key

    image-20260415-042224.png

  4. Upload file SssoCert.pem

    image-20260415-042313.png

Click Save to apply the changes.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close