Configuring Keycloak for SAML Authentication

This article provides instructions for configuring SAML Single Sign-On (SSO) for Aircall using Keycloak as your Identity Provider (IdP).

Important: These instructions apply only to companies that have had SAML Single Sign-On activated by Aircall. To request activation, please contact Customer Success team. This functionality is currently available to a limited number of customers.

Note: IDP-initiated SAML sign-in is not supported. Once SAML is configured, users must log in through the Aircall Dashboard or app login page using the Sign in with SSO option.

1. Create a new client

Steps:

1. Open the Keycloak Administration Console.
2. From the left-hand navigation menu, under Manage, select Clients.
3. Click Create Client.
4. In the Create a new app integration modal, select SAML as the client type.
5. Enter the following values:
   • Client ID: urn:amazon:cognito:sp:us-west-2_hZkGBmIsz
   • Name: AircallSSO
6. Click Next.
7. Under Valid redirect URIs, enter:
   https://sso.aircall.io/saml2/idpresponse
8. Click Save.

2. Configure your new SAML client

Steps:

1. Go to Clients > Client details, then select urn:amazon:cognito:sp:us-west-2_hZkGBmIsz.
2. From the top tabs, select Keys.
3. Disable Client signature required.
4. Select the Client scopes tab.
5. In the table, click on urn:amazon:cognito:sp:us-west-2_hZkGBmIsz-dedicated.
6. Click Add predefined mapper.
7. Choose X500 email, then click Add.
8. After it appears in the table, click the X500 email mapper.
9. Change the SAML Attribute Name to:
   http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
10. Click Save.

3. Export the metadata

Steps:

1. From the left-hand navigation menu, under Configure, select Realm settings.
2. Locate the Endpoints section.
3. Click SAML 2.0 Identity Provider Metadata to open the XML file.
4. Save the file as aircall-idp.xml.

For more information on SAML setup, refer to our Customer Success team.