Hey, documentation around KeyCloak is not the best, but luckily, we sorted out the problem we had with the integration, and we are now able to use Keycloak to SSO into HubSpot.

Hi @JErasmus4,

Hi, could you pls share some information about how you managed to integrate the two?

BR Levente

@JErasmus4 how did you end up doing it? Any documentation you can pass along by any chance? 

I've recently grapped with the same. I got it going with the following:

1. HS: Start the SSO process and select SAML

2. KC: Create a new SAML client within the appropriate realm

    a. Set the Client ID to be the Audience URI from HS

    b. Set the Valid redirct URLs to be the Signon URL from HS

    c. Change the Name ID format to email

    d. Save (?)

    e. Under Keys disable Client signature required (the cert you give to HS is unrelated to client signing)

3. KC: Goto the Realm Settings and click on SAML 2.0 Identity Provider Metadata. This is an XML file that has all the bits you need for HS. Why you can't just provide this to HS I don't know.

4. HS enter

    a. Enter the EntityDescriptor entityID URL from the XML into the Issuer URL spot (this should basically be pointing to your realm in KC)

    b. Ener the md:SingleSignOnService Location from the XML into the Identity Provider single sign-on URL in HS (this will be the EntityID plus /protocol/saml)

    c. In the X.509 box get the ds:X509Certificate from the XML, and put 

        -----BEGIN CERTIFICATE-----

        MII...

        -----END CERTIFICATE-----

HS needs that guard text around the certificate text, otherwise it'll complain about it not being a valid X.509 (technically correct, but tedious).

Then, you should be able to hit Verify, and have you perform a login, and it'll tell you if there is anything unexpected.

We're on KC 22.0.4