Keycloak

LAST UPDATED: FEBRUARY 13, 2026

Overview

This guide provides step-by-step instructions for configuring SAML authentication between Keycloak and D3 vSOC. It describes how to create and configure a SAML client in Keycloak, and how to enable login to D3 vSOC using Keycloak as the identity provider.

Configuring SAML in Keycloak

1. Login to the admin console of Keycloak.

   

2. Navigate to the Manage realms page.

   

3. Click on the Create realm button.

   

4. Name and finish creating the realm.

   

5. Click into this newly created realm.

   

6. Verify that the name of the new realm appears at the top-left corner.

   

7. Click on the Realm settings menu item within the left sidebar.

   

8. Click on the SAML 2.0 Identity Provider Metadata hyperlink near the bottom of the page.

   

9. Store the value between the <ds:X509Certificate> and </ds:X509Certificate> tags securely for later reference.

   

10. Navigate to the Clients page.

    

11. Click on the Create client button.

    

12. Configure the general settings.

    

    1. Select the SAML option from the client type dropdown.

    2. Enter your D3 vSOC URL (ending with /VSOC/D3SOC) in the Client ID field.

    3. Click on the Next button.

13. Configure the Login settings.

    

    1. Enter your D3 vSOC URL (ending with /VSOC/D3SOC/D3SAML) in the Master SAML Processing URL field.

    2. Enter the path between the base URL and the /vSOC/D3SOC/D3SAML endpoint in the IDP-Initiated SSO URL name field, without the leading and trailing slashes.

    3. Click on the Save button.

14. Scroll to the SAML capabilities section, then select the email option for the name ID format dropdown.

    

15. Click on the Save button.

    

16. Navigate to the Users page.

    

17. Click on the Add user (or Create new user) button.

    

18. Create the user.

    

    1. Enter a unique username.

    2. Enter an email address.

    3. Enter the first name of the user.

    4. Enter the last name of the user.

    5. Click on the Create button.

19. Navigate to the Credentials tab, then click on the Set password button.

    

20. Enter and confirm a strong password, then click on the Save button.

    

READER NOTE

Before proceeding, ensure that you have:

• Created D3 user accounts (Organization Management > Users > + Add Users).

• Reviewed the procedure for adding a new login method. The new Keycloak SAML login method must to be assigned to the appropriate D3 user accounts (Application Settings > Login Authentication > Users).

• Reviewed the SAMLEmailIDType article. Depending on the SAMLEmailIDType configuration, the D3 login username is either the full email address or its local part.

21. Create a SAML20 D3 login authentication method.

    

    1. Name the authentication method.

    2. Construct and input the target URL in the following format:

       TEXT

       http://<keycloak-host>:<port>/realms/<realm-name>/protocol/saml/clients/<client-id>

       <KEYCLOAK-HOST> - The hostname or IP address of the Keycloak server.
       <PORT> - The port on which Keycloak is running.
       <REALM-NAME> - The name of the realm.
       <CLIENT-ID> - The same value entered in step 13b.

    3. Enter the certificate value stored in step 9.

    4. Click on the Save button.

22. Click on the Save button next to the Login Authentication header.

    

23. Assign the login method to D3 users.

    

Logging in to D3 vSOC via Keycloak

1. Enter the D3 username in the D3 vSOC login page for the user assigned the Keycloak authentication method in step 23b.

   

2. Enter the user credentials configured in steps 18a or 18b, and 20, on the Keycloak login page, then click on the Sign In button.

   

READER NOTE *

This redirect link differs from the admin console link. The correct page displays the realm name as the title (rather than "Keycloak").