Go back to general SAML configuration for Kimai.
SAML authentication with Keycloak accounts has proven to work with the following configurations.
If you want to sync user-roles as well, you have to know that Google has two different ways to do that. You can either use Google Groups or additional user attributes. We strongly recommend to use Google Groups, but you can create an additional multi-value user attribute as well. Both are described below in the Step-by-Step guide.
Please copy & paste the entire SAML configuration. Adjust the following keys with your Google / App specific settings:
kimai:
saml:
provider: google
activate: true
title: Login with Google
mapping:
- { saml: $Email, kimai: email }
- { saml: $FirstName $LastName, kimai: alias }
- { saml: $Title, kimai: title }
- { saml: $AccountNumber, kimai: accountNumber }
roles:
resetOnLogin: true
attribute: Groups
mapping:
- { saml: KIMAI ADMIN, kimai: ROLE_ADMIN }
- { saml: KIMAI TEAMLEAD, kimai: ROLE_TEAMLEAD }
connection:
idp:
entityId: 'https://accounts.google.com/o/saml2?idpid=your-google-id'
singleSignOnService:
url: 'https://accounts.google.com/o/saml2/idp?idpid=your-google-id'
x509cert: 'ADD YOUR CERTIFICATE HERE'
# Your Kimai: replace https://www.example.com with your base URL
sp:
entityId: 'https://www.example.com/auth/saml/metadata'
assertionConsumerService:
url: 'https://www.example.com/auth/saml/acs'
You have to adjust more keys, please read the main SAML configuration!
SSO-URL
into Single Sign-On URL
Entity-ID
into Entity ID
Certificate
into X.509 Certificate
kimai.saml.connection.sp
) values to Google (page 3):
connection.sp.assertionConsumerService.url
into ACS-URL
connection.sp.entityId
into Entity-ID
Name-ID Format
: “X509_SUBJECT”Name-ID
: “Basic Information > Primary Email”Attributes
you have to define the User attribute
mapping like this (correct case is important):Google directory attribute | App attribute |
---|---|
Basic Information > Primary email | |
Basic Information > First name | FirstName |
Basic Information > Last name | LastName |
Employee Details > Employee ID | AccountNumber |
Employee Details > Title | Title |
User role
mapping, which can be defined in two ways:
Groups
SAML Group
KimaiRole
as text type with multi-valueKimai-System
maps to the Kimai role System-Admin
Kimai-Admin
maps to the Kimai role Administrator
Kimai-Teamlead
maps to the Kimai role Teamlead
SAML Group > KimaiRole
to the App-Attribute Groups
You can use other names for your groups, the mapping happens in the next step in your Cloud configuration.
This screenshot is a showcase of the attribute mapping including groups:
Google does not support single logout, so it needs to be commented in the configuration.
The “single logout” feature was not yet tested, if you want to help, please let me know!