CDNetworks Documentation IAM User Guide Example of Using Keycloak for SAML SSO

Example of Using Keycloak for SAML SSO

Last update:2026-03-25 15:25:41

Operation Guide

Keycloak Deployment and Installation

For more information, please refer to Installation and Deployment Process.

Log in to Keycloak and Configure the Application

  1. Log in to the Keycloak platform using your administrator account.

关于 HTTP/2 Bomb 漏洞(CVE-2026-49975)的风险说明

  1. Create a new Realm.

关于 HTTP/2 Bomb 漏洞(CVE-2026-49975)的风险说明

  1. After the creation is complete, go to Realm settings, download the initial metadata, and click [SAML 2.0 Identity Provider Metadata].

关于 HTTP/2 Bomb 漏洞(CVE-2026-49975)的风险说明

  1. Log in to the CDNetworks console and configure the Item provider.
    Select SSO Type as Role SSO and upload the IdP metadata file downloaded in Step 3.

Note: After completing all configurations, you must update the metadata document again.
关于 HTTP/2 Bomb 漏洞(CVE-2026-49975)的风险说明

  1. Obtain the SP metadata.
    In the CDNetworks console, click “View” to enter the Provider page and download the SP metadata document.
    关于 HTTP/2 Bomb 漏洞(CVE-2026-49975)的风险说明

  2. Create a push client. You can quickly create and upload SP metadata using the “Import push client” feature.

Note: The push client import function is only supported in Chrome browser. Otherwise, you will receive the error “Object.hasOwn is not a function”.

关于 HTTP/2 Bomb 漏洞(CVE-2026-49975)的风险说明

After a successful import, the Client ID will be detected automatically. Please click Save and proceed to the push client configuration page.

关于 HTTP/2 Bomb 漏洞(CVE-2026-49975)的风险说明

You can also find the corresponding Client ID in the push client list and enter the configuration page.

关于 HTTP/2 Bomb 漏洞(CVE-2026-49975)的风险说明

  1. Configure access settings.
    After importing the XML file, the system will automatically generate a Client ID and a valid redirect URI. The information that needs to be configured on this page includes:
  • Root URL
  • Home URL
  • IDP-initiated SSO URL Name. Directly enter the Realm Name; the complete IDP-initiated SSO URL will be displayed below.
  • Enter the main Domain in Root URL and input the URI part in Home URL as shown below:

关于 HTTP/2 Bomb 漏洞(CVE-2026-49975)的风险说明

  1. Configure the SAML Function.
    Select username as the Name ID Format, keep the other parameters as default, and click Save to complete the configuration.

关于 HTTP/2 Bomb 漏洞(CVE-2026-49975)的风险说明

  1. Go to the Client scopes tab to modify the relevant configuration.
    Change the Assigned type of role_list from default to Optional.

关于 HTTP/2 Bomb 漏洞(CVE-2026-49975)的风险说明

Go to the current client-specific configuration file and set Full scope allowed to Off, as shown below:

关于 HTTP/2 Bomb 漏洞(CVE-2026-49975)的风险说明
关于 HTTP/2 Bomb 漏洞(CVE-2026-49975)的风险说明

  1. Create a user for logging in to Keycloak.
    Create a user in the Users section and set a password. The Username field here must be consistent with the account name in the CDNetworks console.
    Reference: Create User

关于 HTTP/2 Bomb 漏洞(CVE-2026-49975)的风险说明

You can set the password in the Credentials tab.

关于 HTTP/2 Bomb 漏洞(CVE-2026-49975)的风险说明

  1. Go to the Clients configuration page, locate the Client scopes tab, and enter the dedicated configuration file.

关于 HTTP/2 Bomb 漏洞(CVE-2026-49975)的风险说明

In Mappers, add two custom configurations. Click Configure new mapper, and in the pop-up window, select Hardcoded Attribute.

关于 HTTP/2 Bomb 漏洞(CVE-2026-49975)的风险说明
关于 HTTP/2 Bomb 漏洞(CVE-2026-49975)的风险说明

First configuration:

  • Name: https://login.cdnetworks.com/SAML/Attributes/RoleSessionName
  • The attribute value can be set to any value; we recommend using the Realm name (for example, KeycloakMock).
    Click Save.

关于 HTTP/2 Bomb 漏洞(CVE-2026-49975)的风险说明

Return to the Mappers page, click Add Mapper, and select By Configuration. In the pop-up window, choose Hardcoded Attribute.

关于 HTTP/2 Bomb 漏洞(CVE-2026-49975)的风险说明

Second configuration:

  • Name: https://login.cdnetworks.com/SAML/Attributes/LoginName
  • Property value:
    • wsc:iam::web host account:login-name/current login account
    • wsc:iam::web host account:saml-provider/identity provider name

Example:
The main account is keycloak, the sub-account is keycloakMock, and the identity provider name is Mock.
If all users are sub-accounts keycloakMock, configure as
wsc:iam::keycloak:login-name/keycloakMock, wsc:iam::keycloak:saml-provider/Mock
If all users are main accounts keycloak, configure as
wsc:iam::keycloak:login-name/keycloak, wsc:iam::keycloak:saml-provider/Mock

  1. After completing all configurations, download the new metadata file and upload it to the CDNetworks console. The steps are the same as in Step 3.

关于 HTTP/2 Bomb 漏洞(CVE-2026-49975)的风险说明

Access Test

In the Clients list, locate the newly added Client ID and find the corresponding Home URL. Click Access to be redirected to the Keycloak login page.

关于 HTTP/2 Bomb 漏洞(CVE-2026-49975)的风险说明

Enter the created username and password, and check if you can successfully redirect to the CDNetworks console.

关于 HTTP/2 Bomb 漏洞(CVE-2026-49975)的风险说明

Is the content of this document helpful to you?
Yes
I have suggestion
Submitted successfully! Thank you very much for your feedback, we will continue to strive to do better!