Keycloak is an open source identity and access management solution built by JBoss. If you need a Keycloak lab environment for testing, refer tothis example ↗.

To set up Keycloak (SAML) as your identity provider:

1. In Keycloak, selectClients in the navigation bar and create a new client.

2. UnderClient ID, enter the following URL:

   https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback

   You can find your team name inCloudflare One ↗ underSettings >Team name and domain >Team name.

   

3. Change theName ID Format toemail

4. Next, set the valid redirect URI to the Keycloak domain that you are using. For example,https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback.

5. Set the Master SAML Processing URL using the same Keycloak domain:https://<keycloak_domain>/auth/realms/master/protocol/saml.

6. If you wish to enable client signatures, enableClient Signature Required and selectsave.

   1. You will need tofollow the steps here to get the certificate and enable it in the Cloudflare dashboard.

   2. Import the Access certificate you downloaded into theSAML Keys tab. UseCertificate PEM as the format.

7. Set the built-in protocol mapper for theemail property.

   

   Next, you will need to integrate with Cloudflare Access.

8. InCloudflare One ↗, go toIntegrations >Identity providers.

9. UnderYour identity providers, selectAdd new identity provider.

10. ChooseSAML on the next page.

    You will need to input the Keycloak details manually. The examples below should be replaced with the specific domains in use with Keycloak and Cloudflare Access.

    Field	Example
    Single Sign-On URL	https://<keycloak_domain>/auth/realms/master/protocol/saml
    IdP Entity ID or Issuer URL	https://<unique_id>.cloudflareaccess.com/cdn-cgi/access/callback
    Signing certificate	Use the X509 Certificate in the Realm Settings from Keycloak

11. SelectSave.

To test that your connection is working, go toIntegrations >Identity providers and selectTest next to the login method you want to test.