...

Establish connection

Antavo’s single sign-on (SSO) solution is implemented through the communication of three different servers.

First, the connection between the identity provider (IdP) and the Keycloak server needs to be established. The client’s IdP stores the login data of their users. SAML 2.0 / OIDC protocol is used for connecting this information with the Keycloak server.

...

The following is an example of metadata for a SAML 2.0 system entity acting as a service provider. This xml XML is exportable from the IdP side and these data need to be sent over to Antavo’s administrator – they will import it to Keycloak’s server.

...

SAML 2’s metadata specification’s Chapter 2 offers details on the nature of these metadata.

Configure SSO

...

module

Next, a connection needs to be established between the Antavo platform and the Keycloak server.
The platform and the Keycloak are connected through the configuration of SSO in the Backoffice. This can be accessed from the Backoffice’s Module Modules page by typing Single Sign-On or SSO into the search field.

...

The following use case illustrates setting up the SSO provider on a demonstration account. This is configured by the Antavo administrators.

• URL

• Realm

• Client ID : - platform

• Client secret: this
  This is generated during the Keycloak configuration.

• Federation field: - uid (default)

• Scopes : - openid profile email

...

...

Set up SSO login for Backoffice users

Anchor
user-login user-login

The SSO Source and SSO ID of backoffice Backoffice users have to be added on the user editor interface to enable SSO login. Please note, that SSO login is enforced for all users by default, meaning users can log in to the backoffice Backoffice through SSO unless you turn off this restriction.
Please find instructions on the configuration of these settings here and here.