Integrate PingIdentity with Keycloak
This topic explains how to configure PingIdentity as a SAML identity provider for Portworx Backup authentication through Keycloak.
Prerequisites
Before you begin, ensure you have:
PingIdentity Requirements
- PingIdentity account with Workforce Solution environment
- Administrative access to PingIdentity console
- Users and groups configured in PingIdentity
- At least one test user for verification
- Groups configured for role mapping (if using RBAC)
- Basic knowledge of PingIdentity configuration
Portworx Backup Requirements
- Portworx Backup installed and running
- Keycloak admin access with URL:
http://<NODE_IP>:<NODE_PORT>/auth/admin/ - Network connectivity between Keycloak and PingIdentity services
Infrastructure Requirements
- Publicly accessible Kubernetes cluster with administrative access
- DNS resolution for PingIdentity endpoints
- HTTPS connectivity for SAML metadata exchange
Integrate PingIdentity with PXB KeyCloak
-
Login to PXB KeyCloak web console with adminstrator credentials. From the left navigation pane, go to Identity Providers → SAML/SAML v2.0.
-
In the Add SAML provider page, enter Alias name like ping-saml. Note down the values in the Redirect URI and Service provider entity ID fields. You will need these values while creating SAML app in PingIdentity.
importantKeep this browser tab open to complete the configuration after setting up PingIdentity.
-
Login to PingIdentity web console and create a SAML App with Configure and Manually Enter options.
-
Provide the values for ACS URL and Entity ID you have noted down in Step 2.
-
To enable the saml application, click the toggle at the top of the details panel to the right (blue).
-
In the Overview tab:
- Make a note of IDP Metadata URL.
- Click Download Metadata to download saml metadata.
-
Navigate to Attribute Mappings tab, click Edit and add the following mandatory mappers:
- email: Map user email attribute
- firstname: Map user first name attribute
- lastname: Map user last name attribute
- username: Map user username attribute
For more information refer to Edit applications section in PingIdentity documentation.
-
Navigate back to PXB Keycloak web console's Add SAML provider page.
-
Under SAML settings enable Use entity descriptor field.
-
In the SAML entity descriptor field, paste the contents of IDP Metadata URL you have noted down in Step 6.1. This fetches and auto-populates all the required fields.
-
Click Add.
-
-
In the Saml page, navigate to Mappers tab, click Add mappers and provide the following values:
For Email Mapper:
- Name: provide any name. For example, email.
- Mapper type: Attribute Importer
- Attribute Name: Name provided in PingIdentity Attribute Mappings section for email.
- Name Format: ATTRIBUTE_FORMAT_BASIC
- User Attribute Name: email
For Group Mapper:
- Name: provide any name. For example, group-mapper.
- Mapper type: Advanced Attribute to Group
- Attribute Name: Name provided in PingIdentity Attribute Mappings section for group.
- Key: group attribute name
- Value: Group name
- Group: Select a group from existing groups in Keycloak.
If the value matches in PingIdentity group, then it will map the user with the group mentioned in Keycloak.
-
Click Save after providing all the required values.
-
Similarly add mappers for first name and last name. Make sure the Attribute Name values are same as the ones you have provided in PingIdentity Attribute Mappings section.
-
Now go to Portworx Backup login page. It should show the SAML app.
-
Click saml under Sign In with your OIDC Provider you will be redirected to Ping login page.
-
Enter your PingIdentity credentials. You should be able to successfully login to Portworx Backup web console.
Next Steps
After successfully integrating PingIdentity with Keycloak:
Configure Role-Based Access Control
- Test access controls with different user accounts
Set Up Group Synchronization
- Configure automatic group membership updates
- Set up periodic synchronization schedules
- Monitor group membership changes