Integrate PingIdentity with Keycloak

This topic explains how to configure PingIdentity as a SAML identity provider for Portworx Backup authentication through Keycloak.

Prerequisites

Before you begin, ensure you have:

PingIdentity account with Workforce Solution environment
Administrative access to PingIdentity console
Users and groups configured in PingIdentity
- At least one test user for verification
- Groups configured for role mapping (if using RBAC)
Basic knowledge of PingIdentity configuration

Portworx Backup installed and running
Keycloak admin access: Access the Keycloak admin console at https://<px-backup-web-console-url>/admin/. For Portworx Backup 2.8.x and earlier, use https://<px-backup-web-console-url>/auth/admin/. For information on finding the Portworx Backup web console URL, see Configure access to web console.
Network connectivity between Keycloak and PingIdentity services

Log in to the Portworx Backup Keycloak admin console with administrator credentials. For Portworx Backup 2.9.0 and later, access Keycloak at http://<NODE_IP>:<NODE_PORT>/admin/. For Portworx Backup 2.8.x and earlier, use http://<NODE_IP>:<NODE_PORT>/auth/admin/. For instructions on finding the Keycloak endpoint, see Configure access to web console.

From the left navigation pane, go to Identity Providers → SAML/SAML v2.0.
In the Add SAML provider page, enter an Alias name such as ping-saml. Note the values in the Redirect URI and Service provider entity ID fields. You will need these values when creating a SAML app in PingIdentity.

important
Keep this browser tab open to complete the configuration after setting up PingIdentity.
Log in to PingIdentity web console and create a SAML App with Configure and Manually Enter options.
Provide the values for ACS URL and Entity ID you have noted down in Step 2.
To enable the SAML application, click the toggle at the top of the details panel to the right (blue).
In the Overview tab:
1. Make a note of IDP Metadata URL.
2. Click Download Metadata to download SAML metadata.
Navigate to Attribute Mappings tab, click Edit and add the following mandatory mappers:

For more information, see Edit applications in the PingIdentity documentation.

Navigate back to Portworx Backup Keycloak web console's Add SAML provider page.
1. Under SAML settings, enable the Use entity descriptor field.
2. In the SAML entity descriptor field, paste the contents of the IDP Metadata URL you noted in Step 6.1. This fetches and auto-populates all the required fields.
3. Click Add.
In the SAML page, navigate to Mappers tab, click Add mappers and provide the following values:

For Email Mapper:

Name: provide any name. For example, email.
Mapper type: Attribute Importer
Attribute Name: Name provided in PingIdentity Attribute Mappings section for email.
Name Format: ATTRIBUTE_FORMAT_BASIC
User Attribute Name: email

For Group Mapper:

Name: provide any name. For example, group-mapper.
Mapper type: Advanced Attribute to Group
Attribute Name: Name provided in PingIdentity Attribute Mappings section for group.
Key: group attribute name
Value: Group name
Group: Select a group from existing groups in Keycloak.

note

If the value matches a PingIdentity group, the user is mapped to the group specified in Keycloak.

Click Save after providing all the required values.
Similarly, add mappers for first name and last name. Ensure the Attribute Name values match those you provided in the PingIdentity Attribute Mappings section.
Go to the Portworx Backup login page. It should show the SAML app.
Click saml under Sign In with your OIDC Provider. You are redirected to the PingIdentity login page.
Enter your PingIdentity credentials. You can now successfully log in to the Portworx Backup web console.

After successfully integrating PingIdentity with Keycloak: