{"id":15786,"date":"2024-05-30T15:03:41","date_gmt":"2024-05-30T22:03:41","guid":{"rendered":"https:\/\/www.couchbase.com\/blog\/?p=15786"},"modified":"2024-05-30T15:25:39","modified_gmt":"2024-05-30T22:25:39","slug":"sso-couchbase-with-keycloak-and-saml","status":"publish","type":"post","link":"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/","title":{"rendered":"Unlock Single Sign-On Capabilities for Couchbase with Keycloak and SAML"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">Welcome to this comprehensive guide on integrating <\/span><a href=\"https:\/\/www.couchbase.com\/\"><span style=\"font-weight: 400;\">Couchbase<\/span><\/a><span style=\"font-weight: 400;\"> with <\/span><a href=\"https:\/\/www.keycloak.org\/\"><span style=\"font-weight: 400;\">Keycloak<\/span><\/a><span style=\"font-weight: 400;\">. In today&#8217;s digital environment, securing applications and managing identities efficiently is paramount. SAML (Security Assertion Markup Language) and Keycloak, a versatile Identity and Access Management (IAM) tool, together form a robust solution for this purpose.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In this article, we will explore the intricacies of setting up Couchbase with a SAML Identity Provider (IdP). We will use Keycloak within a Docker environment. This integration will enhance your Couchbase&#8217;s security, streamline user management, and offer a seamless authentication experience.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Whether you are looking to expand your knowledge in identity management, or seeking to enhance your current setup, this guide is designed to provide you with a step-by-step approach to integrating Keycloak with your Couchbase database using SAML.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">By the end of this guide, you will have a strong understanding of how Couchbase and SAML work together, and how you can leverage these technologies to bolster the security and efficiency of your system. While this guide primarily employs Keycloak as a SAML Identity Provider, the steps and principles delineated here should enable you to configure your own SAML Identity Provider effectively.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Prerequisites<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Before diving into the setup process, it&#8217;s important to ensure that you have the following prerequisites ready. This will facilitate a smooth and efficient integration process:<\/span><\/p>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Existing Setup<\/b><span style=\"font-weight: 400;\">: Couchbase should be up and running. This guide assumes that you have already installed and configured Couchbase on your system.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Docker<\/b><span style=\"font-weight: 400;\">: Docker needs to be installed on your machine. Docker will be used to run Keycloak in a containerized environment, providing an isolated and consistent platform for Keycloak. You may skip the relevant section if you have Keycloak up and running in a different way.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Basic Knowledge<\/b><span style=\"font-weight: 400;\">:<\/span>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Docker<\/b><span style=\"font-weight: 400;\">: Familiarity with Docker commands and concepts is essential, as Keycloak will be deployed in a Docker container.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Keycloak and SAML<\/b><span style=\"font-weight: 400;\">: While detailed steps will be provided, having a basic understanding of Keycloak as an IAM tool and SAML as an authentication protocol will be beneficial.<\/span><\/li>\n<\/ul>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>System Requirements<\/b><span style=\"font-weight: 400;\">: Ensure your system meets the minimum requirements for running Docker and Keycloak smoothly. This includes sufficient memory, CPU power, and disk space.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Network Accessibility<\/b><span style=\"font-weight: 400;\">: Make sure that your network configuration allows communication between the Docker container where Keycloak will run and the system where your Couchbase is hosted.<\/span><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<h2><span style=\"font-weight: 400;\">Overview of Keycloak and SAML<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Understanding the roles of Keycloak and SAML in identity management is crucial for grasping their integration. This section provides an overview of both components and their significance in our setup.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">What is Keycloak<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Keycloak is an open-source Identity and Access Management solution aimed at modern applications and services. It provides extensive security capabilities including user authentication and authorization.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In our context, Keycloak serves as an Identity Provider (IdP). It centralizes the login mechanism and user management, offering a unified access point for various services and applications.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">SAML (Security Assertion Markup Language)<\/span><\/h3>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Basics of SAML:<\/b><span style=\"font-weight: 400;\"> SAML is an open standard for exchanging authentication and authorization data between parties, specifically between an IdP and a Service Provider (SP).<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Importance in Authentication:<\/b><span style=\"font-weight: 400;\"> SAML is widely used for web-based authentication. It allows users to log in to multiple applications with one set of credentials managed by the IdP, enhancing both security and user experience.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3><span style=\"font-weight: 400;\">Integration Benefits<\/span><\/h3>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Enhanced Security<\/b><span style=\"font-weight: 400;\">: By integrating SAML with Keycloak, your Couchbase benefits from a secure and centralized authentication mechanism.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Single Sign-On (SSO)<\/b><span style=\"font-weight: 400;\">: Users can enjoy SSO capabilities across different applications, reducing the need for multiple logins and passwords.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400;\">Step 1: Starting Keycloak in Docker<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">With Docker already running on your system, you can easily start Keycloak in a Docker container. This section provides the necessary steps and an example command to get Keycloak up and running smoothly.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Preparing for Keycloak Deployment<\/span><\/h3>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Ensure Docker is Running<\/b><span style=\"font-weight: 400;\">: Confirm that Docker is active on your system. You can do this by running `<\/span><i><span style=\"font-weight: 400;\">docker info<\/span><\/i><span style=\"font-weight: 400;\">` or `<\/span><i><span style=\"font-weight: 400;\">docker ps<\/span><\/i><span style=\"font-weight: 400;\">` in your terminal or command prompt, which should return information about your Docker installation and running containers, respectively.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Port Availability<\/b><span style=\"font-weight: 400;\">: Keycloak typically runs on port <\/span><b>8080<\/b><span style=\"font-weight: 400;\">. Ensure this port is free on your system, or plan to map it to a different port when running the Docker container.<\/span><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<h3><span style=\"font-weight: 400;\">Starting Keycloak Container<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">To start a Keycloak container with the default settings, use the following command:<\/span><\/p>\n<pre class=\"nums:false lang:default decode:true\">docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io\/keycloak\/keycloak:22.0.5 start-dev<\/pre>\n<p><span style=\"font-weight: 400;\">Replace <em>admin<\/em> and <em>admin<\/em>\u00a0with your desired admin username and password. This sets up an administrator account in Keycloak when the container starts.<\/span><\/p>\n<p><b>Detached Mode<\/b><span style=\"font-weight: 400;\">: Optionally, you can run the container in detached mode by adding the <em>-d<\/em>\u00a0flag. This runs the container in the background, allowing you to continue using the terminal.\u00a0<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Accessing Keycloak<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Once the Keycloak container is running, you can access the Keycloak admin console by navigating to <\/span><em><a href=\"https:\/\/localhost:8080\/auth\"><span style=\"font-weight: 400;\">https:\/\/localhost:8080\/auth<\/span><\/a><\/em><span style=\"font-weight: 400;\">\u00a0in your web browser. Log in with the admin credentials you set.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Please be aware that we are running this container in development mode for our demonstration purposes. For guidance on how to deploy Keycloak in a production environment, you are encouraged to consult the Keycloak documentation.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Step 2: Configuring Keycloak as a SAML Identity Provider Part 1<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Configuring Keycloak as a SAML Identity Provider involves setting up a new realm and a SAML client within that realm. Follow these detailed steps to ensure a proper setup.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Accessing the Keycloak Administration Console<\/span><\/h3>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Open a web browser and navigate to <\/span><a href=\"https:\/\/localhost:8080\/auth\"><span style=\"font-weight: 400;\"><em>https:\/\/localhost:8080\/auth<\/em><\/span><\/a>.<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Log in with your Keycloak admin credentials.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">You should now see the following:<\/span><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15808\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image22-1024x691.png\" alt=\"\" width=\"675\" height=\"455\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image22-1024x691.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image22-300x202.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image22-768x518.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image22-1536x1036.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image22-1320x890.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image22.png 1999w\" sizes=\"auto, (max-width: 675px) 100vw, 675px\" \/><\/p>\n<h3><span style=\"font-weight: 400;\">Creating a New Realm<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">In Keycloak, a realm is a fundamental concept that serves as a top-level container for configurations and entities like users, clients, and roles. Creating a realm is essential because it provides an isolated space where all these elements can be managed.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Each realm acts as an independent identity domain, allowing you to maintain separate sets of users, credentials, roles, and clients, which is particularly useful in scenarios where you have multiple departments, organizations, or environments. Thus, creating a realm is the first step in setting up an identity management solution in Keycloak.<\/span><\/p>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">In the top-left corner, click on the &#8220;Master&#8221; dropdown and select &#8220;<\/span><b>Create realm<\/b><span style=\"font-weight: 400;\">&#8220;.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Name your new realm (e.g., `MyIdentityRealm`) and click &#8220;<\/span><b>Create<\/b><span style=\"font-weight: 400;\">&#8220;.<\/span><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15815\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image29-1024x524.png\" alt=\"\" width=\"686\" height=\"351\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image29-1024x524.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image29-300x154.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image29-768x393.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image29-1536x786.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image29-1320x676.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image29.png 1999w\" sizes=\"auto, (max-width: 686px) 100vw, 686px\" \/><\/p>\n<h2><span style=\"font-weight: 400;\">Setting Up a SAML Client<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">In Keycloak, a client represents an application that will rely on Keycloak for authentication and authorization. Creating a client is essential as it forms the link between Couchbase UI and Keycloak, enabling the secure management of user access and identity information. By creating a SAML client in Keycloak, you enable your application to authenticate users through Keycloak using SAML.<\/span><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Inside your new realm, click on &#8220;<\/span><b>Clients<\/b><span style=\"font-weight: 400;\">&#8221; in the left-hand menu.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Click &#8220;<\/span><b>Create client<\/b><span style=\"font-weight: 400;\">&#8221; and select &#8220;<\/span><b>saml<\/b><span style=\"font-weight: 400;\">&#8221; as the Client Protocol.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">On the <\/span><b>General settings<\/b><span style=\"font-weight: 400;\"> tab, fill in the following fields:<\/span>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0<\/span><b>Client ID<\/b><span style=\"font-weight: 400;\">: Enter the Entity ID of your SAML Service Provider (e.g., `couchbase-ui`).<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0<\/span><b>Name<\/b><span style=\"font-weight: 400;\">: Provide a name for the client. (e.g., `Couchbase`).<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">\u00a0\u00a0\u00a0\u00a0<\/span><b>Description<\/b><span style=\"font-weight: 400;\">: Optionally, add a description.<\/span><\/li>\n<li><span style=\"font-weight: 400;\">Client <\/span><b>Next<\/b><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15788\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image2-2-913x1024.png\" alt=\"\" width=\"600\" height=\"673\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image2-2-913x1024.png 913w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image2-2-267x300.png 267w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image2-2-768x861.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image2-2-1369x1536.png 1369w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image2-2-300x337.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image2-2-1320x1481.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image2-2.png 1380w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">On the <\/span><b>Login settings<\/b><span style=\"font-weight: 400;\"> tab, fill in the following fields:<\/span>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Home URL:<\/b><span style=\"font-weight: 400;\"> Enter the URL of your Couchbase server (e.g. <em>https:\/\/127.0.0.1:8091<\/em>)<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Valid redirect URIs: <\/b><span style=\"font-weight: 400;\">Provide the URI which the IdP can redirect to (e.g. <\/span><em><span style=\"font-weight: 400;\">https:\/\/127.0.0.1:8091\/*<\/span><\/em><span style=\"font-weight: 400;\">)<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><b>Valid post logout redirect URIs<\/b><span style=\"font-weight: 400;\">: Enter the URIs that you allow the IdP to redirect after a logout event. (e.g. <em>https:\/\/127.0.0.1:8091\/*<\/em>)<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-weight: 400;\">Click <\/span><b>Save <\/b><span style=\"font-weight: 400;\">to create a new SAML client<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15803\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image17-1024x472.png\" alt=\"\" width=\"601\" height=\"277\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image17-1024x472.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image17-300x138.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image17-768x354.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image17-1536x708.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image17-1320x608.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image17.png 1999w\" sizes=\"auto, (max-width: 601px) 100vw, 601px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">Currently, the Keycloak client configuration is incomplete and will be addressed later. To complete the setup process, it is essential to first configure Couchbase.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Step 3: Configuring SAML with Couchbase Server<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Once Keycloak is configured as a SAML Identity Provider, the next step is to integrate it with your Couchbase. This integration allows your Couchbase to authenticate users through Keycloak using SAML.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Understanding the Integration<\/span><\/h3>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Role of Keycloak<\/b><span style=\"font-weight: 400;\">: Keycloak acts as the SAML Identity Provider (IdP), managing user identities and credentials.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Role of Your Couchbase<\/b><span style=\"font-weight: 400;\">: Your Couchbase functions as a SAML Service Provider (SP), relying on Keycloak for authentication.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3><span style=\"font-weight: 400;\">Preparing for SAML Integration<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">To configure Couchbase as a SAML Service Provider (SP), the initial step requires downloading the metadata from Keycloak.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The metadata endpoint can be accessed by navigating to the realm settings page within the Keycloak administration area.<\/span><\/p>\n<ul>\n<li><b>Open the settings page<\/b><span style=\"font-weight: 400;\">: Collect the necessary information from Keycloak, such as the SAML IdP metadata URL, open the <\/span><b>Realm settings<\/b><span style=\"font-weight: 400;\"> page:<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15800\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image14-1024x744.png\" alt=\"\" width=\"600\" height=\"436\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image14-1024x744.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image14-300x218.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image14-768x558.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image14-1536x1116.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image14-1320x959.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image14.png 1999w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Locate the Endpoints<\/b><span style=\"font-weight: 400;\">: scroll down to the Endpoints section and open the SAML 2.0 Identity Provider Metadata in a new window. The URL should look like\u00a0 <code>https:\/\/localhost:8080\/auth\/realms\/{realm-name}\/protocol\/saml\/descriptor<\/code>. In our case it is `<\/span><span style=\"font-weight: 400;\"><code>https:\/\/localhost:8080\/realms\/MyIdentityRealm\/protocol\/saml\/descriptor<\/code><\/span><span style=\"font-weight: 400;\">`. Yours might be different depending on what the name of the realm is. Open this in a new tab and locate the key information in the metadata file.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The certificate information can be found in the <\/span><em><span style=\"font-weight: 400;\">X509Certificate <\/span><\/em><span style=\"font-weight: 400;\">tag<\/span><span style=\"font-weight: 400;\">.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<pre class=\"nums:false lang:default decode:true\">&lt;ds:X509Data&gt;\r\n&lt;ds:X509Certificate&gt;MIICrTCCAZUCBgGM.....&lt;\/ds:X509Certificate&gt;\r\n&lt;\/ds:X509Data&gt;<\/pre>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The login and logout binding can be located in the corresponding <\/span><span style=\"font-weight: 400;\">SingleSignOnService<\/span> <span style=\"font-weight: 400;\">and <\/span><span style=\"font-weight: 400;\">SingleLogoutService<\/span> <span style=\"font-weight: 400;\">tags. They should look like the following code snippets:<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<pre class=\"nums:false wrap:true lang:default decode:true\">&lt;md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https:\/\/localhost:8080\/realms\/MyIdentityRealm\/protocol\/saml\"\/&gt;<\/pre>\n<pre class=\"nums:false wrap:true lang:default decode:true \">&lt;md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https:\/\/localhost:8080\/realms\/MyIdentityRealm\/protocol\/saml\"\/&gt;\r\n\r\n<\/pre>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The entityID can be located in the <\/span><span style=\"font-weight: 400;\">EntityDescriptor <\/span><span style=\"font-weight: 400;\">and should look like this:<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<pre class=\"nums:false lang:default decode:true \">entityID=\"https:\/\/localhost:8080\/realms\/MyIdentityRealm\"<\/pre>\n<p><span style=\"font-weight: 400;\">Store this metadata file on your computer, as it is required for configuring SAML in Couchbase. The certificate, entityId, login and logout bindings will all be needed when you create the SAML configuration in Couchbase.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Configuring Couchbase as a Service Provider<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Having established Keycloak as an Identity Provider (iDP), the next step is to configure the Couchbase server to function as a SAML Service Provider (SP). This section provides detailed instructions for the initial setup and configuration process.<\/span><\/p>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Login to your Couchbase server UI:<\/b><span style=\"font-weight: 400;\"> Log in to the administrative UI of Couchbase server. This is where you&#8217;ll configure the SAML settings.<\/span><\/li>\n<li aria-level=\"1\"><b>Click on Security: <\/b>Select security in the left hand side navigation.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15812\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image26.png\" alt=\"\" width=\"156\" height=\"353\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image26.png 230w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image26-133x300.png 133w\" sizes=\"auto, (max-width: 156px) 100vw, 156px\" \/><\/li>\n<li aria-level=\"1\"><b>Click on the SAML tab: <\/b><span style=\"font-weight: 400;\">on the top Locate the SAML tab and click on it. This will open the SAML configuration page.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15807\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image21-1024x89.png\" alt=\"\" width=\"600\" height=\"52\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image21-1024x89.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image21-300x26.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image21-768x67.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image21-1320x115.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image21.png 1334w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><br \/>\n<\/span><\/li>\n<li aria-level=\"1\"><b>Enable SAML Authentication:<\/b><span style=\"font-weight: 400;\"> There is a checkbox below the text. Toggle this setting on.<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15796\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image10-1024x204.png\" alt=\"\" width=\"598\" height=\"119\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image10-1024x204.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image10-300x60.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image10-768x153.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image10-1536x306.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image10-1320x263.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image10.png 1796w\" sizes=\"auto, (max-width: 598px) 100vw, 598px\" \/><br \/>\n<\/span><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<h3><span style=\"font-weight: 400;\">Metadata Configuration<\/span><\/h3>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>SP Entity ID<\/b><span style=\"font-weight: 400;\">: Set the Entity ID for Couchbase server. This is a unique identifier that you have configured in Keycloak as clientId and will be used to recognize your service. Use the same Entity ID you used on the Keycloak screen: \u201c<em>couchbase-ui<\/em>\u201d<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Organization detail: <\/b><span style=\"font-weight: 400;\">Fill in the Org Name and Contact fields with your information.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>SP Base URL Type<\/b><span style=\"font-weight: 400;\">: Select\u00a0 <\/span><b>Custom URL<\/b><span style=\"font-weight: 400;\"> and use the URL your service is accessible from the internet. I will specify <\/span><a href=\"https:\/\/127.0.0.1:8091\/\"><span style=\"font-weight: 400;\">https:\/\/127.0.0.1:8091<\/span><\/a><span style=\"font-weight: 400;\"> as I am running the Couchbase server locally.<\/span><\/li>\n<li aria-level=\"1\"><b>Sign Metadata<\/b>: Make sure that the \u2018Sign metadata using certificates specified below\u2019 toggle is enabled.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15792\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image6-1-1024x861.png\" alt=\"\" width=\"602\" height=\"506\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image6-1-1024x861.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image6-1-300x252.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image6-1-768x646.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image6-1-1536x1292.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image6-1-1320x1110.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image6-1.png 1822w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<h3><span style=\"font-weight: 400;\">Certificate Management<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">The Service Provider will also require a Private Key and an X.509 certificate, which is different from the Node or Cluster certificate. This specific certificate will be utilized for actions related to SAML.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In this example I will use a self signed certificate.<\/span><\/p>\n<pre class=\"nums:false wrap:true lang:default decode:true\">openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 730 -nodes -subj \"\/C=CO\/ST=State\/L=City\/O=Company\/OU=Unit\/CN=127.0.0.1\"\r\n\r\n<\/pre>\n<p><span style=\"font-weight: 400;\">This command should have create two files (<em>cert.pem<\/em> and <em>key.pem<\/em>).<\/span><\/p>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Upload Private Key<\/b><span style=\"font-weight: 400;\">: Open the Key and Certificate section, and upload your private key.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Upload Certificate<\/b><span style=\"font-weight: 400;\">: also upload your certificate.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Certificate chain<\/b>: Optionally if you need a certificate chain, please upload that as well. In my example I do not need a chain as my certificate is self signed.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15830\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image44-1024x655.png\" alt=\"\" width=\"602\" height=\"385\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image44-1024x655.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image44-300x192.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image44-768x491.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image44-1536x983.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image44-1320x845.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image44.png 1694w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<h3><span style=\"font-weight: 400;\">Identity Provider Configuration<\/span><\/h3>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li><b>Open Metadata<\/b><span style=\"font-weight: 400;\">: Open the metadata section of this configuration<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15794\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image8-1.png\" alt=\"\" width=\"583\" height=\"149\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image8-1.png 948w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image8-1-300x77.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image8-1-768x196.png 768w\" sizes=\"auto, (max-width: 583px) 100vw, 583px\" \/><\/span><\/li>\n<li><b>Configure Metadata<\/b><span style=\"font-weight: 400;\">: Change the Load IDP metadata from setting from <\/span><b>URL<\/b><span style=\"font-weight: 400;\"> to File<\/span><\/li>\n<li><b>Open file<\/b><span style=\"font-weight: 400;\">: Find the file that you have downloaded from Keycloak in an earlier step.<\/span><\/li>\n<li><b>Copy the content<\/b><span style=\"font-weight: 400;\">: Select the whole file and copy the content to the clipboard<\/span><\/li>\n<li><b>Paste the XML<\/b>: Go back to Couchbase server and paste the xml into the textarea<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15826\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image40-1024x414.png\" alt=\"\" width=\"601\" height=\"243\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image40-1024x414.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image40-300x121.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image40-768x311.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image40-1536x621.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image40-1320x534.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image40.png 1676w\" sizes=\"auto, (max-width: 601px) 100vw, 601px\" \/><\/li>\n<li><b>Enable Verify remote peer: <\/b><span style=\"font-weight: 400;\">Toggle the Verify remote peer to make sure it is on<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15813\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image27.png\" alt=\"\" width=\"277\" height=\"39\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image27.png 482w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image27-300x42.png 300w\" sizes=\"auto, (max-width: 277px) 100vw, 277px\" \/><br \/>\n<\/span><\/li>\n<li><b>Open Single Sign-On<\/b><span style=\"font-weight: 400;\">: In Settings section open Single Sign-on\u00a0<\/span><\/li>\n<li><b>Post binding<\/b><span style=\"font-weight: 400;\">: Make sure that both of the Bindings are configured to use Post<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15825\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image39.png\" alt=\"\" width=\"273\" height=\"193\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image39.png 586w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image39-300x212.png 300w\" sizes=\"auto, (max-width: 273px) 100vw, 273px\" \/><br \/>\n<\/span><\/li>\n<li><b>Click Save<\/b><span style=\"font-weight: 400;\">: Click save to persist your configuration.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15806\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image20-1024x322.png\" alt=\"\" width=\"601\" height=\"189\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image20-1024x322.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image20-300x94.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image20-768x242.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image20-1536x483.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image20-1320x415.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image20.png 1850w\" sizes=\"auto, (max-width: 601px) 100vw, 601px\" \/><br \/>\n<\/span><\/li>\n<li><b>Write down endpoint information<\/b><span style=\"font-weight: 400;\">: Remember to note down the SP consume URL and the SP logout URL, as they will be necessary for STEP 5.<\/span><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<h2><span style=\"font-weight: 400;\">Step 5: Configuring Keycloak as a SAML Identity Provider Part 2<\/span><\/h2>\n<h3><span style=\"font-weight: 400;\">SAML Capabilities<\/span><\/h3>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Open Keycloak<\/b><span style=\"font-weight: 400;\">: Go back to the Keycloak admin console and log-in<\/span><\/li>\n<li><b>Find the client:<\/b><span style=\"font-weight: 400;\"> Click Clients and find the SAML client you created earlier and open it.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15799\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image13-1024x322.png\" alt=\"\" width=\"601\" height=\"189\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image13-1024x322.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image13-300x94.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image13-768x241.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image13-1536x483.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image13-1320x415.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image13.png 1999w\" sizes=\"auto, (max-width: 601px) 100vw, 601px\" \/><br \/>\n<\/span><\/li>\n<li><span style=\"font-weight: 400;\">Scroll down to <\/span><b>SAML capabilities<\/b><span style=\"font-weight: 400;\">: On this screen, scroll down to locate the SAML capabilities section. Ensure that your configuration aligns with the settings shown in the image below.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15809\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image23-1024x579.png\" alt=\"\" width=\"599\" height=\"339\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image23-1024x579.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image23-300x170.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image23-768x435.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image23-1536x869.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image23-1320x747.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image23.png 1999w\" sizes=\"auto, (max-width: 599px) 100vw, 599px\" \/><br \/>\n<\/span><\/li>\n<li><b>Signature and Encryption<\/b><span style=\"font-weight: 400;\">: Proceed to the section following SAML Capabilities and verify that your configuration matches the one depicted in the picture below. Especially the <\/span><b>Sign Assertions<\/b><span style=\"font-weight: 400;\"> checkbox.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15797\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image11-1024x594.png\" alt=\"\" width=\"478\" height=\"277\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image11-1024x594.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image11-300x174.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image11-768x445.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image11-1320x765.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image11.png 1328w\" sizes=\"auto, (max-width: 478px) 100vw, 478px\" \/><br \/>\n<\/span><\/li>\n<li><span style=\"font-weight: 400;\">Click <\/span><b>Save <\/b><span style=\"font-weight: 400;\">to create a new SAML client<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3><span style=\"font-weight: 400;\">Client Certificate Setup<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Open the <\/span><b>Keys<\/b><span style=\"font-weight: 400;\"> section of the SAML Client configuration and follow the instructions.<\/span><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><span style=\"font-weight: 400;\">Scroll down to <\/span><b>Certificate<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15824\" style=\"font-weight: 400;\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image38-1024x282.png\" alt=\"\" width=\"599\" height=\"165\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image38-1024x282.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image38-300x83.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image38-768x212.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image38-1536x423.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image38-1320x364.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image38.png 1930w\" sizes=\"auto, (max-width: 599px) 100vw, 599px\" \/><br \/>\n<\/b><\/li>\n<li><span style=\"font-weight: 400;\">Click <\/span><b>\u201cImport key<\/b><span style=\"font-weight: 400;\">\u201d: Select the &#8216;Import key&#8217; option to open the dialog window, where you can choose the Certificate you uploaded to the Couchbase server. The IdP (Keycloak) will utilize this certificate to validate the signature of requests sent by Couchbase.<\/span><\/li>\n<li><span style=\"font-weight: 400;\">Upload \u201c<\/span><b>Certificate<\/b><span style=\"font-weight: 400;\">\u201d: First, choose the &#8220;Certificate PEM&#8221; option for the archive format, then click the Browse button to select your certificate in PEM format.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15816\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image30-1024x594.png\" alt=\"\" width=\"412\" height=\"239\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image30-1024x594.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image30-300x174.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image30-768x446.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image30.png 1096w\" sizes=\"auto, (max-width: 412px) 100vw, 412px\" \/><br \/>\n<\/span><\/li>\n<li><b>Import<\/b><span style=\"font-weight: 400;\">: Click Import to load the Certificate into Keycloak<\/span><\/li>\n<li><b>Reload<\/b><span style=\"font-weight: 400;\">: At this point make sure you reload the whole web page<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3><span style=\"font-weight: 400;\">Fine Grain SAML Endpoint Configuration<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Open the <\/span><b>Advanced<\/b><span style=\"font-weight: 400;\"> section of the SAML Client configuration and follow the instructions.<\/span><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><span style=\"font-weight: 400;\">Scroll down to \u201c<\/span><b>Fine Grain SAML Endpoint Configuration<\/b><span style=\"font-weight: 400;\">\u201d<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15804\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image18-1024x837.png\" alt=\"\" width=\"520\" height=\"425\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image18-1024x837.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image18-300x245.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image18-768x628.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image18-1320x1079.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image18.png 1488w\" sizes=\"auto, (max-width: 520px) 100vw, 520px\" \/><br \/>\n<\/span><\/li>\n<li><b>Fill in Assertion Consumer Service POST Binding URL<\/b><span style=\"font-weight: 400;\">: Take the <\/span><b>Current SP consume URL<\/b><span style=\"font-weight: 400;\"> value from Couchbase SAML settings page and paste it into Assertion Consumer Service POST Binding URL field in Keycloak.<\/span><\/li>\n<li><b>Fill in <\/b><b>Logout Service POST Binding URL<\/b><b>: <\/b><span style=\"font-weight: 400;\">In this step use the <\/span><b>Current SP logout URL<\/b><span style=\"font-weight: 400;\"> field from Couchbase and paste it into the <\/span><b>Logout Service POST Binding URL<\/b><span style=\"font-weight: 400;\"> field.<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15820\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image34-1024x279.png\" alt=\"\" width=\"599\" height=\"163\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image34-1024x279.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image34-300x82.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image34-768x209.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image34-1536x419.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image34-1320x360.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image34.png 1999w\" sizes=\"auto, (max-width: 599px) 100vw, 599px\" \/><br \/>\n<\/span><\/li>\n<li>Click <strong>Save<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400;\">Testing the Integration<\/span><\/h2>\n<h3><span style=\"font-weight: 400;\">Create a Keycloak user<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">After configuring both the Service Provider (Couchbase) and the Identity Provider (Keycloak), we now need to create a test user before proceeding to test the integration.<\/span><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Open Keycloak<\/b><span style=\"font-weight: 400;\">: Go back to the Keycloak admin console and log-in<\/span><\/li>\n<li><b>Select<\/b><span style=\"font-weight: 400;\"> Users: Click on the Users menu item on the left<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15821\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image35-1024x336.png\" alt=\"\" width=\"598\" height=\"196\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image35-1024x336.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image35-300x98.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image35-768x252.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image35-1536x503.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image35-1320x433.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image35.png 1999w\" sizes=\"auto, (max-width: 598px) 100vw, 598px\" \/><br \/>\n<\/span><\/li>\n<li><span style=\"font-weight: 400;\">Click \u201c<\/span><b>Add user<\/b><span style=\"font-weight: 400;\">\u201d: Click on the &#8216;Add User&#8217; button to add a new Keycloak test user<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15810\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image24-1024x506.png\" alt=\"\" width=\"599\" height=\"296\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image24-1024x506.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image24-300x148.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image24-768x379.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image24-1536x758.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image24-1320x652.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image24.png 1999w\" sizes=\"auto, (max-width: 599px) 100vw, 599px\" \/><br \/>\n<\/span><\/li>\n<li><b>Create<\/b><span style=\"font-weight: 400;\">: will create a user in Keycloak.\u00a0<\/span><\/li>\n<li><span style=\"font-weight: 400;\">Select <\/span><b>Credential<\/b><span style=\"font-weight: 400;\"> tab: Once the user is created, you will be directed to the user edit screen. On this screen, navigate to the Credentials tab and ensure you set a password for this user by clicking on <\/span><b>Set Password:<\/b><span style=\"font-weight: 400;\"><br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15787\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image1-3-1024x540.png\" alt=\"\" width=\"381\" height=\"201\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image1-3-1024x540.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image1-3-300x158.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image1-3-768x405.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image1-3-818x434.png 818w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image1-3.png 1092w\" sizes=\"auto, (max-width: 381px) 100vw, 381px\" \/><br \/>\n<\/span><\/li>\n<li><span style=\"font-weight: 400;\">Click <\/span><b>Save: Save <\/b><span style=\"font-weight: 400;\">then <\/span><b>Save Password<\/b><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3><span style=\"font-weight: 400;\">Add SAML email mapper<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Now, it&#8217;s important to determine which user attributes will be used to map Keycloak users to Couchbase users. In this example, we&#8217;ll use the email field, but it&#8217;s also feasible to use the username or any other user attribute.<\/span><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Open Keycloak<\/b><span style=\"font-weight: 400;\">: Go back to the Keycloak admin console and log-in<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Find the client:<\/b> Click Clients and find the SAML client you created earlier and open it<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15799\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image13-1024x322.png\" alt=\"\" width=\"598\" height=\"188\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image13-1024x322.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image13-300x94.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image13-768x241.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image13-1536x483.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image13-1320x415.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image13.png 1999w\" sizes=\"auto, (max-width: 598px) 100vw, 598px\" \/><\/li>\n<li aria-level=\"1\"><b>Open Client scopes<\/b><span style=\"font-weight: 400;\">: Open Client scopes<\/span><\/li>\n<li aria-level=\"1\"><b>Click on the scope link<\/b><span style=\"font-weight: 400;\">: Each client has a default scope named after the client, which in this case is <em>couchbase-ui-dedicated<\/em>. Click on this link to modify the scope settings:<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15801\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image15-1024x379.png\" alt=\"\" width=\"603\" height=\"223\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image15-1024x379.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image15-300x111.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image15-768x284.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image15-1536x568.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image15-1320x488.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image15.png 1999w\" sizes=\"auto, (max-width: 603px) 100vw, 603px\" \/><br \/>\n<\/span><\/li>\n<li aria-level=\"1\"><b>Add mapper<\/b><span style=\"font-weight: 400;\">: In the new screen that appears after clicking on the scope link, click on the &#8220;<\/span><b>Configure a new mapper<\/b><span style=\"font-weight: 400;\">&#8221; button.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15818\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image32-1024x435.png\" alt=\"\" width=\"445\" height=\"189\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image32-1024x435.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image32-300x127.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image32-768x326.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image32-1320x561.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image32.png 1398w\" sizes=\"auto, (max-width: 445px) 100vw, 445px\" \/><br \/>\n<\/span><\/li>\n<li aria-level=\"1\"><b>Select <\/b><b>User Attribute: <\/b><span style=\"font-weight: 400;\">From the list that is displayed select the \u201c<\/span><b>User Attribute<\/b><span style=\"font-weight: 400;\">\u201d mapper<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15789\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image3-1-1024x66.png\" alt=\"\" width=\"605\" height=\"39\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image3-1-1024x66.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image3-1-300x19.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image3-1-768x50.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image3-1-1536x99.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image3-1-1320x85.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image3-1.png 1644w\" sizes=\"auto, (max-width: 605px) 100vw, 605px\" \/><br \/>\n<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><b>Complete the form<\/b><span style=\"font-weight: 400;\">: Complete the form with the values as shown in the image below, paying particular attention to ensuring that the <em>SAML Attribute NameFormat<\/em> is set to <em>unspecified<\/em>.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15829\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image43-1024x624.png\" alt=\"\" width=\"599\" height=\"365\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image43-1024x624.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image43-300x183.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image43-768x468.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image43-1536x937.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image43-1320x805.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image43.png 1999w\" sizes=\"auto, (max-width: 599px) 100vw, 599px\" \/><br \/>\n<\/span><\/li>\n<li><b>Save<\/b><span style=\"font-weight: 400;\">: Click <\/span><b>Save<\/b><span style=\"font-weight: 400;\"> to add the mapper to the scope<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3><span style=\"font-weight: 400;\">Configure Couchbase to use the mapper<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">The IdP is now transmitting the email attribute in the SAML Response, but Couchbase has not yet been configured to utilize this attribute for user identification:<\/span><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Login to your Couchbase server UI<\/b><span style=\"font-weight: 400;\">: Log in to the administrative UI of Couchbase server. This is where you&#8217;ll configure the SAML settings.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Click on Security<\/b><span style=\"font-weight: 400;\">: Select security in the left hand side navigation.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Select SAML tab: <\/b><span style=\"font-weight: 400;\">Click on the SAML tab to open the SAML settings<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Scroll down to Settings<\/b><span style=\"font-weight: 400;\">: Scroll down to the Settings section and open <\/span><b>Single Sign-On<\/b><span style=\"font-weight: 400;\"> section to configure the username mapping<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Configure attribute:<\/b> Modify the &#8216;Username attribute&#8217; field to match the SAML Attribute Name you specified in Keycloak. In this example, &#8217;email&#8217; was used.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15802\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image16-1024x778.png\" alt=\"\" width=\"470\" height=\"357\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image16-1024x778.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image16-300x228.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image16-768x584.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image16.png 1274w\" sizes=\"auto, (max-width: 470px) 100vw, 470px\" \/><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3><span style=\"font-weight: 400;\">User to user mapping<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">The most simple way to map users is to create external users in Couchbase server that match the users in Keycloak. In this example I did just that.\u00a0<\/span><\/p>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Find email in Keycloak<\/b><span style=\"font-weight: 400;\">: Go back to Keycloak\u00a0 and find the email address of your user.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Open Couchbase server UI<\/b><span style=\"font-weight: 400;\">: Open Couchbase server UI<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Click on Security<\/b><span style=\"font-weight: 400;\">: On the left you can find the security link<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Open the Users tab<\/b>: On the top you will find the Users\/Groups tab click on that to list the users in Couchbase server<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15823\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image37-1024x54.png\" alt=\"\" width=\"613\" height=\"32\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image37-1024x54.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image37-300x16.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image37-768x41.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image37-1320x70.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image37.png 1428w\" sizes=\"auto, (max-width: 613px) 100vw, 613px\" \/><b><\/b><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Add user<\/b><span style=\"font-weight: 400;\">: Click on the Add user button on the top right corner<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>External user<\/b>: You need to make sure you set up your user as\u00a0 \u201cExternal\u201d\u00a0 <a href=\"https:\/\/docs.couchbase.com\/server\/current\/manage\/manage-security\/manage-users-and-roles.html#adding-an-externally-authenticated-user\">see our documentation<\/a>.<\/li>\n<li aria-level=\"1\"><b>Fill in username:<\/b><span style=\"font-weight: 400;\"> You copy the Keycloak email into this field<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15819\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image33-1024x389.png\" alt=\"\" width=\"600\" height=\"228\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image33-1024x389.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image33-300x114.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image33-768x292.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image33-1536x584.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image33-1320x501.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image33.png 1574w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><br \/>\n<\/span><b><\/b><\/li>\n<li aria-level=\"1\"><b>Set up roles:<\/b><span style=\"font-weight: 400;\"> On the right hand side you need to select the exact roles your user should have<\/span><\/li>\n<li aria-level=\"1\"><b>Set up Groups:<\/b><span style=\"font-weight: 400;\"> (Optional) You can also add your external user to any Couchbase\u00a0 server groups you specified earlier<\/span><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p>At this point you are ready to test the login with this test user. So head over to your Couchbase login page and click on <b>Sign in Using SSO:<br \/>\n<\/b><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15795\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image9.png\" alt=\"\" width=\"378\" height=\"313\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image9.png 904w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image9-300x248.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image9-768x635.png 768w\" sizes=\"auto, (max-width: 378px) 100vw, 378px\" \/><\/p>\n<h3><span style=\"font-weight: 400;\">User mapping using groups<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">While user to user mapping is a great start, a better approach for aligning SSO users with Couchbase users involves mapping SSO groups to Couchbase groups. Then, utilize these Couchbase groups to assign appropriate roles, allowing for granular control without the need for individual user-to-user mapping.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Create a new group in Keycloak and assign users to it<\/span><\/h3>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Log into Keycloak: <\/b><span style=\"font-weight: 400;\">Log into the Keycloak admin console and select your realm.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Click on Groups<\/b><span style=\"font-weight: 400;\">: Click on the Groups menu item in the left hand navigation<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Create Groups in Keycloak<\/b><span style=\"font-weight: 400;\">. I am going to create a group called <em>ro_admin<\/em>\u00a0in Keycloak. Click on the Create group button.<br \/>\n<\/span><span style=\"font-weight: 400;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15793\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image7-1-1024x381.png\" alt=\"\" width=\"414\" height=\"154\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image7-1-1024x381.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image7-1-300x112.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image7-1-768x286.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image7-1.png 1316w\" sizes=\"auto, (max-width: 414px) 100vw, 414px\" \/><\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Name your group<\/b><span style=\"font-weight: 400;\">: Name your group \u201cro_admin\u201d<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15805\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image19-1024x324.png\" alt=\"\" width=\"364\" height=\"115\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image19-1024x324.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image19-300x95.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image19-768x243.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image19.png 1080w\" sizes=\"auto, (max-width: 364px) 100vw, 364px\" \/><\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Create group<\/b><span style=\"font-weight: 400;\">: Create the group by clicking on the Create button.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Open your test user<\/b><span style=\"font-weight: 400;\">: Click on Users in the left hand navigation and find your test user and open the user.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Select the Groups tab<\/b><span style=\"font-weight: 400;\">: Click on the groups tab to view the currently assigned groups.<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15822\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image36-1024x467.png\" alt=\"\" width=\"430\" height=\"196\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image36-1024x467.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image36-300x137.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image36-768x350.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image36.png 1122w\" sizes=\"auto, (max-width: 430px) 100vw, 430px\" \/><br \/>\n<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Click on Join Group:<\/b><span style=\"font-weight: 400;\"> Click on the Join Group button to assign the new group you have just created to this test user.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Tick the group name<\/b>: Tick the <em>ro_admin<\/em>\u00a0group name from the list and click <b>Join<\/b>.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15827\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image41-1024x732.png\" alt=\"\" width=\"344\" height=\"246\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image41-1024x732.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image41-300x214.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image41-768x549.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image41.png 1066w\" sizes=\"auto, (max-width: 344px) 100vw, 344px\" \/><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<h3><span style=\"font-weight: 400;\">Set up SAML group mappers in Keycloak<\/span><\/h3>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Go the Clients:<\/b><span style=\"font-weight: 400;\"> Open the Clients are in Keycloak and select the Client you created earlier for Couchbase integration<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Select Client Scopes<\/b><span style=\"font-weight: 400;\">: Select the Client Scopes Tab to edit the build-in scope for this client<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Open scope<\/b>: Click on the Scope name which should be your client name dedicated. In our case this is called: <b>couchbase-ui-dedicated<\/b><b><br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15817\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image31-1024x502.png\" alt=\"\" width=\"600\" height=\"294\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image31-1024x502.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image31-300x147.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image31-768x377.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image31-1536x753.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image31-1320x647.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image31.png 1868w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><br \/>\n<\/b><\/li>\n<li aria-level=\"1\"><b>Add mapper: <\/b><span style=\"font-weight: 400;\">Click on Add Mapper -&gt; By Configuration and from the list select the <\/span><b>Group List<\/b><span style=\"font-weight: 400;\"> mapper.<br \/>\n<\/span><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15811\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image25-1024x491.png\" alt=\"\" width=\"600\" height=\"288\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image25-1024x491.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image25-300x144.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image25-768x368.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image25-1536x736.png 1536w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image25-1320x633.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image25.png 1648w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/li>\n<li aria-level=\"1\"><b>Set up the new mapper<\/b><span style=\"font-weight: 400;\">: Complete the form fields as illustrated in the image below. This will establish a group mapper that transfers the user groups to Couchbase in the SAML Attribute named <em>groups<\/em>.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15791\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image5-1-1024x963.png\" alt=\"\" width=\"501\" height=\"471\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image5-1-1024x963.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image5-1-300x282.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image5-1-768x722.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image5-1-1320x1242.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image5-1.png 1482w\" sizes=\"auto, (max-width: 501px) 100vw, 501px\" \/><\/span><\/li>\n<li aria-level=\"1\"><span style=\"font-weight: 400;\">Click <\/span><b>Save<\/b><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<h3><span style=\"font-weight: 400;\">Set up SAML group configuration in Couchbase<\/span><\/h3>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li><span style=\"font-weight: 400;\"><b style=\"color: #333333; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 19px;\">Log into Couchbase: <\/b><span style=\"font-weight: 400;\">Log into the Couchbase admin console and go to <\/span><b style=\"color: #333333; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 19px;\">Security<\/b><span style=\"font-weight: 400;\"> and open the <\/span><b style=\"color: #333333; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 19px;\">SAML<\/b><span style=\"font-weight: 400;\"> settings page.<\/span><br \/>\n<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Scroll down to Settings<\/b><span style=\"font-weight: 400;\">: Scroll down to the Settings section and open <\/span><b>Single Sign on<\/b><\/li>\n<li><b>Find the group mapping section<\/b><span style=\"font-weight: 400;\">: Navigate to the <\/span><b>Group<\/b><span style=\"font-weight: 400;\"> settings section and configure it as depicted in the image below. Make sure you tick the <\/span><b>Groups attribute<\/b><span style=\"font-weight: 400;\"> checkbox and enter the name of the attribute we set up in Keycloak just before. In my case this is called <\/span><b>groups<\/b><span style=\"font-weight: 400;\">.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15790\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image4-1-1024x116.png\" alt=\"\" width=\"539\" height=\"61\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image4-1-1024x116.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image4-1-300x34.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image4-1-768x87.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image4-1-1320x150.png 1320w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image4-1.png 1412w\" sizes=\"auto, (max-width: 539px) 100vw, 539px\" \/><br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15814\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image28.png\" alt=\"\" width=\"432\" height=\"377\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image28.png 904w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image28-300x262.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image28-768x671.png 768w\" sizes=\"auto, (max-width: 432px) 100vw, 432px\" \/><br \/>\n<\/span><\/li>\n<li><b>Create a group<\/b><span style=\"font-weight: 400;\">: Go to Security and click on the <\/span><b>ADD GROUP<\/b><span style=\"font-weight: 400;\"> button on the top right corner.\u00a0<\/span><b><\/b><\/li>\n<li><b>Enter group details<\/b><span style=\"font-weight: 400;\">: Fill in the Group name and assign some roles as well. I am going to create a Read-Only administrator group in this example.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-15828\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image42-1024x965.png\" alt=\"\" width=\"478\" height=\"450\" srcset=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image42-1024x965.png 1024w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image42-300x283.png 300w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image42-768x724.png 768w, https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image42.png 1248w\" sizes=\"auto, (max-width: 478px) 100vw, 478px\" \/><br \/>\n<\/span><\/li>\n<li>Click\u00a0<strong>Save<\/strong><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">You are now prepared to conduct your initial group mapping test. If you previously created an external user in the User to User mapping section, it must be deleted to proceed with this test. It&#8217;s noteworthy that Couchbase will perform Just-In-Time (JIT) user provisioning in this scenario. There&#8217;s no necessity for a pre-existing external user; Couchbase will automatically create one and, based on the group mapping, assign the appropriate role to this user.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Troubleshooting<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">If you face any problems, review the SAML response and request logs in both Keycloak and Couchbase for potential errors or misconfigurations. Additionally, refer to our previous article on SAML, which offers numerous helpful tips for troubleshooting SAML-related issues.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Security Best Practices<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Implementing strong security practices is crucial when integrating SAML with Keycloak and your Couchbase. This section highlights key security considerations and best practices to ensure a secure and robust setup.<\/span><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Use HTTPS<\/b><span style=\"font-weight: 400;\">: Always use HTTPS instead of HTTP for all communications involving Keycloak and your Couchbase, including the Assertion Consumer Service (ACS) UR<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Certificates and Keys<\/b><span style=\"font-weight: 400;\">: Use strong, up-to-date encryption certificates and keys for SAML assertions. Configure Keycloak and your Couchbase to trust these certificates<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Logs<\/b><span style=\"font-weight: 400;\">: Regularly review logs in both Keycloak and your Couchbase for any unusual activity or security breaches.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Audit Trails<\/b><span style=\"font-weight: 400;\">: Maintain audit trails for critical actions and changes within Keycloak and Couchbase<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Review Default Settings<\/b><span style=\"font-weight: 400;\">: Carefully review and modify default configurations in Keycloak and your Couchbase to enhance security.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400;\">Conclusion<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">In this guide, we&#8217;ve explored the steps involved in integrating Couchbase with SAML Idp, specifically focusing on configurations within Keycloak. This integration facilitates secure and efficient user management, leveraging the robust capabilities of Keycloak as an Identity Provider. Remember, security and efficiency in user management are not just goals but ongoing processes. Regularly update your systems, stay informed about the latest security trends, and be proactive in making improvements. Your feedback on this guide is invaluable. Feel free to share your experiences, challenges, and successes.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Welcome to this comprehensive guide on integrating Couchbase with Keycloak. In today&#8217;s digital environment, securing applications and managing identities efficiently is paramount. SAML (Security Assertion Markup Language) and Keycloak, a versatile Identity and Access Management (IAM) tool, together form a [&hellip;]<\/p>\n","protected":false},"author":84313,"featured_media":15798,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[1815,1816,1813],"tags":[9916,9953],"ppma_author":[9812],"class_list":["post-15786","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-best-practices-and-tutorials","category-couchbase-server","category-security","tag-keycloak","tag-saml"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v25.8 (Yoast SEO v25.8) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Unlock Single Sign-On Capabilities for Couchbase with Keycloak and SAML<\/title>\n<meta name=\"description\" content=\"Integrate Couchbase with Keycloak as a SAML Identity Provider to enhance security, streamline user management, and enable seamless SSO. Follow this guide.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Unlock Single Sign-On Capabilities for Couchbase with Keycloak and SAML\" \/>\n<meta property=\"og:description\" content=\"Integrate Couchbase with Keycloak as a SAML Identity Provider to enhance security, streamline user management, and enable seamless SSO. Follow this guide.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/\" \/>\n<meta property=\"og:site_name\" content=\"The Couchbase Blog\" \/>\n<meta property=\"article:published_time\" content=\"2024-05-30T22:03:41+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-05-30T22:25:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image12.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"1024\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Istvan Orban\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Istvan Orban\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"26 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/\"},\"author\":{\"name\":\"Istvan Orban, Principal Product Manager\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/da80693db66ef61daaabe98bc56afc26\"},\"headline\":\"Unlock Single Sign-On Capabilities for Couchbase with Keycloak and SAML\",\"datePublished\":\"2024-05-30T22:03:41+00:00\",\"dateModified\":\"2024-05-30T22:25:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/\"},\"wordCount\":3692,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image12.png\",\"keywords\":[\"keycloak\",\"SAML\"],\"articleSection\":[\"Best Practices and Tutorials\",\"Couchbase Server\",\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/\",\"url\":\"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/\",\"name\":\"Unlock Single Sign-On Capabilities for Couchbase with Keycloak and SAML\",\"isPartOf\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image12.png\",\"datePublished\":\"2024-05-30T22:03:41+00:00\",\"dateModified\":\"2024-05-30T22:25:39+00:00\",\"description\":\"Integrate Couchbase with Keycloak as a SAML Identity Provider to enhance security, streamline user management, and enable seamless SSO. Follow this guide.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/#primaryimage\",\"url\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image12.png\",\"contentUrl\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image12.png\",\"width\":1024,\"height\":1024},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.couchbase.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Unlock Single Sign-On Capabilities for Couchbase with Keycloak and SAML\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#website\",\"url\":\"https:\/\/www.couchbase.com\/blog\/\",\"name\":\"The Couchbase Blog\",\"description\":\"Couchbase, the NoSQL Database\",\"publisher\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.couchbase.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#organization\",\"name\":\"The Couchbase Blog\",\"url\":\"https:\/\/www.couchbase.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2023\/04\/admin-logo.png\",\"contentUrl\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2023\/04\/admin-logo.png\",\"width\":218,\"height\":34,\"caption\":\"The Couchbase Blog\"},\"image\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/da80693db66ef61daaabe98bc56afc26\",\"name\":\"Istvan Orban, Principal Product Manager\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/image\/c873b4cba9199faca7f2d3db2f443f81\",\"url\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2023\/04\/image_2023-04-25_205027722.png\",\"contentUrl\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2023\/04\/image_2023-04-25_205027722.png\",\"caption\":\"Istvan Orban, Principal Product Manager\"},\"description\":\"Istvan Orban is the Principal Product Manager for Couchbase and lives in the United Kingdom. Istvan has a wide range of experience as a Full stack Software Engineer, Team leader and Devops Engineer. His main focus is security and Single Sign On. Istvan has led several large scale projects of his 20 year professional career.\",\"url\":\"https:\/\/www.couchbase.com\/blog\/author\/istvanorban\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Unlock Single Sign-On Capabilities for Couchbase with Keycloak and SAML","description":"Integrate Couchbase with Keycloak as a SAML Identity Provider to enhance security, streamline user management, and enable seamless SSO. Follow this guide.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/","og_locale":"en_US","og_type":"article","og_title":"Unlock Single Sign-On Capabilities for Couchbase with Keycloak and SAML","og_description":"Integrate Couchbase with Keycloak as a SAML Identity Provider to enhance security, streamline user management, and enable seamless SSO. Follow this guide.","og_url":"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/","og_site_name":"The Couchbase Blog","article_published_time":"2024-05-30T22:03:41+00:00","article_modified_time":"2024-05-30T22:25:39+00:00","og_image":[{"width":1024,"height":1024,"url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2024\/05\/image12.png","type":"image\/png"}],"author":"Istvan Orban","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Istvan Orban","Est. reading time":"26 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/#article","isPartOf":{"@id":"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/"},"author":{"name":"Istvan Orban, Principal Product Manager","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/da80693db66ef61daaabe98bc56afc26"},"headline":"Unlock Single Sign-On Capabilities for Couchbase with Keycloak and SAML","datePublished":"2024-05-30T22:03:41+00:00","dateModified":"2024-05-30T22:25:39+00:00","mainEntityOfPage":{"@id":"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/"},"wordCount":3692,"commentCount":0,"publisher":{"@id":"https:\/\/www.couchbase.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/#primaryimage"},"thumbnailUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image12.png","keywords":["keycloak","SAML"],"articleSection":["Best Practices and Tutorials","Couchbase Server","Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/","url":"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/","name":"Unlock Single Sign-On Capabilities for Couchbase with Keycloak and SAML","isPartOf":{"@id":"https:\/\/www.couchbase.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/#primaryimage"},"image":{"@id":"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/#primaryimage"},"thumbnailUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image12.png","datePublished":"2024-05-30T22:03:41+00:00","dateModified":"2024-05-30T22:25:39+00:00","description":"Integrate Couchbase with Keycloak as a SAML Identity Provider to enhance security, streamline user management, and enable seamless SSO. Follow this guide.","breadcrumb":{"@id":"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/#primaryimage","url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image12.png","contentUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2024\/05\/image12.png","width":1024,"height":1024},{"@type":"BreadcrumbList","@id":"https:\/\/www.couchbase.com\/blog\/sso-couchbase-with-keycloak-and-saml\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.couchbase.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Unlock Single Sign-On Capabilities for Couchbase with Keycloak and SAML"}]},{"@type":"WebSite","@id":"https:\/\/www.couchbase.com\/blog\/#website","url":"https:\/\/www.couchbase.com\/blog\/","name":"The Couchbase Blog","description":"Couchbase, the NoSQL Database","publisher":{"@id":"https:\/\/www.couchbase.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.couchbase.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.couchbase.com\/blog\/#organization","name":"The Couchbase Blog","url":"https:\/\/www.couchbase.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2023\/04\/admin-logo.png","contentUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2023\/04\/admin-logo.png","width":218,"height":34,"caption":"The Couchbase Blog"},"image":{"@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/da80693db66ef61daaabe98bc56afc26","name":"Istvan Orban, Principal Product Manager","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/image\/c873b4cba9199faca7f2d3db2f443f81","url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2023\/04\/image_2023-04-25_205027722.png","contentUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2023\/04\/image_2023-04-25_205027722.png","caption":"Istvan Orban, Principal Product Manager"},"description":"Istvan Orban is the Principal Product Manager for Couchbase and lives in the United Kingdom. Istvan has a wide range of experience as a Full stack Software Engineer, Team leader and Devops Engineer. His main focus is security and Single Sign On. Istvan has led several large scale projects of his 20 year professional career.","url":"https:\/\/www.couchbase.com\/blog\/author\/istvanorban\/"}]}},"authors":[{"term_id":9812,"user_id":84313,"is_guest":0,"slug":"istvanorban","display_name":"Istvan Orban","avatar_url":{"url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2023\/04\/image_2023-04-25_205027722.png","url2x":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2023\/04\/image_2023-04-25_205027722.png"},"author_category":"","last_name":"Orban","first_name":"Istvan","job_title":"","user_url":"","description":"Istvan Orban is the Principal Product Manager for Couchbase and lives in the United Kingdom. Istvan has a wide range of experience as a Full stack Software Engineer, Team leader and Devops Engineer. His main focus is security and Single Sign On. Istvan has led several large scale projects of his 20 year professional career."}],"_links":{"self":[{"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/posts\/15786","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/users\/84313"}],"replies":[{"embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/comments?post=15786"}],"version-history":[{"count":0,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/posts\/15786\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/media\/15798"}],"wp:attachment":[{"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/media?parent=15786"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/categories?post=15786"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/tags?post=15786"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=15786"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}