Authentication with Keycloak

Here are some basic instructions for integration with Keycloak. In this example, the Structurizr on-premises installation was running at http://localhost:7080.

1. Download IdP metadata

Find the realm that you would like authenticate against, and download the SAML metadata by clicking the "SAML 2.0 Identity Provider Metadata" link, saving this as saml-idp-metadata.xml in your Structurizr data directory.

SAML metadata

2. Register the Structurizr on-premises installation

Create a Keycloak "client" to represent the Structurizr on-premises installation. The "client ID" you use here should be set as the structurizr.saml.entityId property in your structurizr.properties file.

Creating a client

After creation, you will need to change the following settings:

  • Client Signature Required: Off (otherwise you'll see an "Invalid requester" message)
  • Valid Redirect URIs: http://localhost:7080/saml/* (otherwise you'll see an "Invalid redirect URI" message)

3. Add user property mappers

At this point, the integration should be functional, although you won't see the username and groups/roles associated with the user. to do that, you need to add a couple of mappings for the client.

E-mail mapping

Group mapping