Keycloak

Harmony SASE can authenticate users through Keycloak, ensuring a secure and efficient login process by utilizing the Security Assertion Markup Language (SAML) protocol.

Prerequisites

  • Administrator access to the Harmony SASE Administrator Portal.

  • Administrator account with the Identity Provider Management Portal.

Integration Procedure

To configure Keycloak as an Identity Provider:

  1. Log in to your Keycloak Administrator Console:

    1. Select the realm you want to configure.

    2. Go to Clients and click Create client.

      The Create client page appears.

    3. From the Client type list, select SAML.

    4. In the Client ID field, enter the audience URI (SP Entity ID) of your Harmony SASE workspace:

      • For US based platform - urn:auth0:perimeter81:{{WORKSPACE}}-oc

      • For EU based platform - urn:auth0:eu-sase-checkpoint:{{WORKSPACE}}-oc

        For example - acme.perimeter81.com workspace should translate to urn:auth0:perimeter81:acme-oc

    5. Click Next.

    6. In the Valid redirect URIs field, enter your workspace URL:

      • For US based platform - https://{{your-workspace}}.perimeter81.com/*

      • For EU based platform - https://{{your-workspace}}.eu.sase.checkpoint.com/*

    7. In the Master SAML Processing URL field, enter your Single sign-on URL:

      • For US based platform - https://auth.perimeter81.com/login/callback?connection={{WORKSPACE}}-oc

      • For EU based platform - https://auth.eu.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc

    8. Click Save.

    9. Go to Access capabilities and do these in the SAML capabilities section.

    10. From the Name ID format list, select your email address.

    11. Turn off the Force POST billing toggle button.

    12. Turn off the Include AuthnStatement toggle button.

    13. Go to the Signature and Encryption section.

    14. Turn off the Sign documents toggle button.

    15. Turn off the Sign assertion toggle button.

    16. From the Signature algorithm list, select RSA_SHA256.

    17. From the SAML signature key name list, select KEY_ID.

    18. Click the Keys tab.

    19. Turn off the Client signature required toggle button.

    20. Turn off the Encrypt assertions toggle button.

    21. Click the Client scopes tab.

    22. Select the assigned client scope named as your audience URI (SP Entity ID), for example, the name starts with urn:auth0.

    23. Click the Mappers tab.

    24. Click Add predefined mapper.

    25. Select these checkboxes:

      1. X500 email

      2. X500 givenName

      3. X500 surname

      This configuration permits to pass through the SAML response the Users given name and surname.

  2. To map the user profile, log in to the Harmony SASE Administrator Portal, click your profile icon at the top right corner and enter these:

    • First Name

    • Last Name

    Note - The groups in Keycloak must match the groups in Harmony SASE to be able to add the users into the corresponding groups in Harmony SASE.

  3. Log in to your Keycloak Administration Console:

    1. (Optional) Select Add mapper, then By configuration and select Group list to pass Group membership to Harmony SASE.

    2. In the Name field, enter Group Mapper.

    3. In the Group attribute name field, enter groups.

    4. From the SAML Attribute NameFormat list, select Basic.

    5. Turn on the Single Group Attribute toggle button.

    6. Turn off the Full group path toggle button.

    7. Click Save.

    8. Go to Clients and then click Create client.

    9. Click the Advanced tab.

    10. Click Fine Grain SAML Endpoint Configuration.

    11. In the Assertion Consumer Service POST Binding URL field, enter your Single sign-on URL:

      • For US based platform - https://auth.perimeter81.com/login/callback?connection={{WORKSPACE}}-oc

      • For EU based platform - https://auth.eu.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc

    12. In the Assertion Consumer Service Redirect Binding URL field, enter your Single sign-on URL:

      • For US based platform - https://auth.perimeter81.com/login/callback?connection={{WORKSPACE}}-oc

      • For EU based platform - https://auth.eu.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc

    13. Click Save.

    14. To collect Sign-in URL and X509 Signing Certificate of your realm to configure the Identity Providers configuration in Harmony SASE:

    15. Go to Realm settings.

    16. Click the General tab and click SAML 2.0 Identity Provider Metadata under Endpoints.

    17. Copy the Sign-in URL and the X509 Signing Certificate.

  4. To configure Harmony SASE, log in to the Harmony SASE Administrator Portal:

    1. Go to Settings > Identity Providers.

    2. Click Add Provider.

    3. Select SAML 2.0 Identity Providers.

    4. Click Continue.

      The SAML 2.0 Identity Providers window appears.

    5. In the Sign in URL field, enter the sign-in url copied in step 3.i.i.

    6. In the Domain Aliases field, enter your organization domain.

    7. In the X509 Signing Certificate field, enter the certificate copied in step 3.i.i.

    8. Click Done.