Configure SSO for workplace with Keycloak using SAML

I will describe how to setup SSO for Workplace (by Facebook) with Keycloak as Identity provider.

I deployed keycloak version 4.3.0-Final in a docker container using the “official” keycloak docker image : jboss/docker.

Get informations from Workplace

On the workplace application, as admin, go to the “Admin panel” then navigate to the “Authentication” page.

I found it directly in the left menu in “Admin panel” :


or hidden in a tab in the “Security” page of the “Admin panel” :


Then get some informations, at the bottom of the page in the SAML Configuration section :


And click on Single-Sign On (SSO)


Then go to keycloak admin console to configure the client application.

Keycloak Configuration

I assume that you have a realm configured.

NOTE : You need to have a user in keycloak with the same email address used to connect to the admin panel of workplace (as it will be use to validate SSO configuration).

Create a client :

  1. Go to Clients
  2. Click on the Create button to add a new client


  1. Save
  2. In the client definition Fill everything like this


(please note the URL generated “Target IDP initiated SSO URL: https://KEYCLOAK_URL/auth/realms/REALM_NAME/protocol/saml/clients/AUDIENCE_ID ) 5. Then go to installation Tab 6. Select SAML Metadata IDPSSODescriptor 7. Copy the Certificate string (The code inside <dsig:X509Certificate></dsig:X509Certificate>)

Finish Configuring Workplace

Go back to workplace and to the “Authentication Admin page”

Then fill the form :

  • SAML URL : https://KEYCLOAK_URL/auth/realms/REALM_NAME/protocol/saml/clients/AUDIENCE_ID (Generated during the keycloak client configuration)
  • SAML Issuer URI : https://KEYCLOAK_URL/auth/realms/REALM_NAME/
  • SAML Logout Redirect : Unchecked (In my case)
  • SAML Certificate : The certificate string copied from the last step of keycloak configuration.

Then Click on Test SSO.

A popin should open, display the keycloak login form (if you are not already logged in), then display a message : SSO Authenticated.

Close the popup page. Then save the configuration


  • If a user is not created in workplace, when he trys to connect to workplace, workplace send him an email to verify the email address.
  • If I create a user in Workplace, workplace send him an email to invite him to workplace, when he click on the link he is redirected to the SSO Login page, then once logged in, back to workplace, workplace ask him for a username.