This repository contains a keycloak extension which adds support for the SAML v2.0 dialect of the eIDAS nodes. It provides an identity provider extension which allows keycloak to be setup as an "identity broker".
Keycloak is an open source Identity and Access Management system for modern applications.
eIDAS-Nodes are operated from EU member states according to the eIDAS Regulation in order to ensure that people and businesses can use their own national eIDs (electronic identification schemes) to access public services available online in other countries.
The eIDAS Nodes use an extended version of SAML v2.0 which defines a number of SAML elements and attribute definitions which are not supported by default in standard SAML implementations. This extension provides support for these extensions, by offering a custom IdP which can use this extended dialect.
See eIDAS+eID+Profile and the following documents for the v1.2 technical specifications:
- eIDAS - Interoperability Architecture v1.2
- eIDAS - Cryptographic requirements for the Interoperability Framework v1.2
- eIDAS SAML Message Format v1.2
- eIDAS SAML Attribute Profile v1.2
Download the latest release jar from the releases page. Then deploy it in keycloak by copying it at folder
KEYCLOAK_HOME/standalone/deployments/. See the keycloak documentation for the directory structure of the keycloak server.
| Extension version | Keycloak version |
|---|---|
| 0.5 | 15.0.2 - 18.0.2 |
| 0.6 | 18.0.2, 19.0.2 (partial admin UI) |
| 0.7 | 20.0.2 (partial admin UI) |
| 0.8 | 21.0.1 (partial admin UI) |
| 0.9 | 22.0.3 (partial admin UI) |
| 0.10 | 23.0.2 (partial admin UI) |
| 0.11 | 24.0.4 |
| 0.12 | 25.0.6 |
Depending on the version of keycloak (between 18 and 23) the admin UI might not show the extra attributes and you might need to configure the extension by editing the configuration inside the DB. Another possibility is to import your realm from json and thus be able to configure the extension. See this example for an example.
The extension provides the following components which are needed in order to connect to an eIDAS node using the extended definitions of the eIDAS technical specifications:
- Identity provider "eIDAS SAML v2.0" which is an extended version of the default "SAML v2.0" IdP.
- Mapper "Username Template Importer" which can be used to setup the ID or username for federated user lookup.
- Mapper "Attribute Importer" which can be used to import additional attributes.
- Authenticator "Citizen Country Selection" which can collect the citizen country before authentication.
- Setup the keycloak realm key provider for signing requests according to the eIDAS specifications. Depending on the setup of the eIDAS node that you are trying to connect, it might be important that the certificate contains the correct country code.
- Add the "eIDAS SAML v2.0" identity provider.
- Setup the "eIDAS SAML v2.0" identity provider by setting the classic "SAML v2.0" options and the additional eIDAS specific options.
- Add a "Username Template Importer" with template something like
${ALIAS}.${ATTRIBUTE.PersonIdentifier}and targetBROKER_ID. You can also adjust the username in a similar fashion. - Add "Attribute Importer" for the attributes you want to consume, e.g. "DateOfBirth".
- Go to "Authentication" and copy the "Browser" flow.
- After the "Cookie" execution add an "eIDAS" flow which contains the following two executions:
- Citizen Country Selection. Use the "Actions" menu to configure this by adjusting the available country codes. These codes are two letter names.
- Identity Provider Redirector. Use the "Actions" menu to adjust the "Default Identity Provider" to "eidas-saml", in order for the redirection to happen automatically.
- Set the new flow as default in the "Browser Flow" bindings.
- Adjust depending on your use case the "First Broker Login" and additional properties.
You can find a very simple howto guide at howto/README.md.
Build the project using maven
mvn install
You can find the jar under target/keycloak-eidas-idp-x.x.x.jar.
Apache License, Version 2.0
