This is not an official guide. This is just a tutorial from my lab.
It describes how Keycloak works as an Identity Provider for SmartConsole login using SAML. Btw: Mobile Access Login / VPN Login works the same way.
Starting with R81.20 Jumbo Take 89, you will need to modify the metadata file (step 6) as follows.
1. Version
Keycloak: 21.1.1
Check Point SmartCenter: R81.20
2. Select Realm in Keycloak
![keycloak_1.png keycloak_1.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21363i78678A62167AD5F7/image-size/large?v=v2&px=999)
3. Create User
Create a User and assign a password (under credentials). Or use LDAP as a Source, etc.
![keycloak_2.png keycloak_2.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21364i590FA3C2E03864EC/image-size/large?v=v2&px=999)
3.1 Set password
![keycloak_2.0.png keycloak_2.0.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21365i373E4C957ED3B797/image-size/large?v=v2&px=999)
4. Client Scopes
The SmartConsole application integration in your Identity Provider must have attribute mappings for "username" and “groups”. In Keycloak this is done via “Client scopes”
Select “Client Scopes” and click “Create client scope”.
![keycloak_3.0.png keycloak_3.0.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21367iDB77A59E0139876C/image-size/large?v=v2&px=999)
4.1 Create client scope “SmartConsole”
Name: SmartConsole
Protocol: SAML
![keycloak_3.png keycloak_3.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21368iFEB30F2138F99277/image-size/large?v=v2&px=999)
5. Select the client scope “SmartConsole”
![keycloak_3.1.png keycloak_3.1.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21369i3CA0F445838DA079/image-size/large?v=v2&px=999)
5.1 Click “Add mapper - by configuration” for username
![keycloak_4.png keycloak_4.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21370i511F1900B1AD9E01/image-size/large?v=v2&px=999)
5.2 Select “User Attribute”
![keycloak_5.png keycloak_5.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21371i0BF9F22CF7CFDA53/image-size/medium?v=v2&px=400)
5.3 Enter “username” in the highlighted fields
![keycloak_5.1.png keycloak_5.1.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21372iC1DDBEC52749458B/image-size/large?v=v2&px=999)
5.4 Click “Add mapper - by configuration ” for groups
![keycloak_4.png keycloak_4.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21373iD41F5C8B73711669/image-size/large?v=v2&px=999)
5.5 Select Group List
![keycloak_5.2.png keycloak_5.2.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21374i20AB63FF48A333BE/image-size/medium?v=v2&px=400)
5.6 Enter “groups” in the highlighted fields
![keycloak_5.4.png keycloak_5.4.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21375i03513473D581E406/image-size/large?v=v2&px=999)
5.7 Client scope - Overview
![keycloak_5.5.png keycloak_5.5.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21376i60745353984F38FF/image-size/large?v=v2&px=999)
6. Realm settings
Go to Realm settings and click on “SAML 2.0 Identity Provider Metadata” and save the XML File. This file is used in step 7.
![keycloak_6.png keycloak_6.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21377i2770E6942C65A643/image-size/large?v=v2&px=999)
Starting from R81.20 Jumbo Take 89:
Open the metadata file (descriptor.xml) and modify the value "WantAuthnRequestsSigned" from "true" to "false".
7. Create Identity Provider Object
Create an Identity Provider Object in SmartConsole. Click “Import From File” and select the XML File from step 6. Publish the changes.
Copy the Identifier (Entity ID) and Reply URL in a text file.
![cp_keycloak_1.png cp_keycloak_1.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21378i248472538BB5C3B5/image-size/large?v=v2&px=999)
8. Clients
Click on Clients and select “Create Client”
![keycloak_7.png keycloak_7.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21379iBA0D20A6F1753A49/image-size/large?v=v2&px=999)
8.1 SAML Client
Under “Client ID” enter the information from “Identifier (Entity ID)” (SmartConsole), from step 7.
![keycloak_8.png keycloak_8.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21380i39095583F255C440/image-size/large?v=v2&px=999)
8.2 Login settings
Root URL and Home URL = IP Address from the SmartCenter
Under Valid redirect URIs enter the “Reply URL” from the Identity Provider Object (SmartConsole), see step 7.
![keycloak_8.1.png keycloak_8.1.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21381i0A50B846D6031757/image-size/large?v=v2&px=999)
8.3 Disable Client Signature
I don't know, if this can be configured at all with Check Point, so it must be disabled for it to work. Does anyone know if this can be enabled?
![keycloak_8.2.png keycloak_8.2.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21382i5B1A1055D4125833/image-size/large?v=v2&px=999)
8.4 Client scopes
Check, if the client scope “SmartConsole” is assigned to the Client.
![keycloak_8.3.png keycloak_8.3.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21383iB55E5A706F705D74/image-size/large?v=v2&px=999)
9. Select Identity Provider in SmartConsole
![keycloak_9.png keycloak_9.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21384iA6F4E74295D57FA1/image-size/large?v=v2&px=999)
9.1 Create SmartConsole Admin
Create User, same Username as in Keycloak. Publish all changes.
![keycloak_9.1.png keycloak_9.1.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21385i820DFE5C5F06AA31/image-size/large?v=v2&px=999)
9.2 Login SmartConsole
![keycloak_9.2.png keycloak_9.2.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21386i614892FFE00F966C/image-size/medium?v=v2&px=400)
9.3 Redirect to Browser
Login using username “test".
![keycloak_9.3.png keycloak_9.3.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21387iB0AC2C558C9ADBAA/image-size/large?v=v2&px=999)
9.4 Login successful
After successful login, SmartConsole opens.
![keycloak_9.4.png keycloak_9.4.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21388i482400B80C51AC99/image-size/large?v=v2&px=999)
9.5 Logfile
![keycloak_9.5.png keycloak_9.5.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21389iD9AB7A3A80502C84/image-size/large?v=v2&px=999)
Login is also possible, using the Identity Provider for an Administrator Group. The Group Name must be the same on Check Point and on Keycloak. In this example, testuser3 is member of the group “SmartCenter-GUI” only.
10. Create "New Identity Provider Administrator Group
Group ID / Name: SmartCenter-GUI
![keycloak_10.0.png keycloak_10.0.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21391i93EFC2324C335775/image-size/large?v=v2&px=999)
10.1 Overview
Object “SSO_Group” was created and all members in this group, are able to login to the SmartCenter.
![keycloak_10.1.png keycloak_10.1.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21392i3695B634B3F4D997/image-size/large?v=v2&px=999)
10.2 Keycloak User Group
Create User Group “SmartCenter-GUI” in Keycloak and add a user to this group, in this example, “testuser3”
![keycloak_10.png keycloak_10.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21393iC9BD33080B8E4354/image-size/large?v=v2&px=999)
10.3 Login using testuser3
![keycloak_10.2.png keycloak_10.2.png](https://community.checkpoint.com/t5/image/serverpage/image-id/21394iD2B33862AFED6C24/image-size/large?v=v2&px=999)