Demo Flow Walkthrough

This walkthrough takes you through the end-to-end ClickID experience on a local dev stack. It covers: logging into the SP Portal, registering a demo service provider, authenticating through the SAML flow, inspecting the assertion, and promoting to live.

Prerequisites

Complete the Local Development Setup guide first. All services must be running before proceeding.

---

Demo credentials

Account	Username	Password	Notes
SP Portal admin	printed by setup-sp-portal-admin.sh	printed by setup script	OIDC login to portal
Demo resident	resident@example.nl	Welkom12345!	Pre-seeded in both realms; no TOTP

---

Step 1: Log into the SP Portal

1. Open http://localhost:3000 in your browser.
2. Click Sign in.
3. You are redirected to Keycloak. Enter the SP Portal admin credentials printed during setup.
4. After login, you land on the SP Portal dashboard.

The dashboard shows two tabs: Sandbox SPs and Live SPs. Both are empty on a fresh setup.

---

Step 2: Register a demo service provider

1. Click Register SP (top right of the dashboard).

2. Give your SP a display name, e.g. My Demo App.

3. In the Metadata section, switch to the XML tab.

4. The demo SP at http://localhost:8082 exposes its metadata at http://localhost:8082/saml/metadata. Paste that XML into the text area.

   Alternatively, if you are testing your own SP, paste your SP's SAML metadata XML here.

5. Click Register.

The portal calls the Keycloak Admin API, creates a SAML client in the clickid-sandbox realm, and applies the Sector-ID Mapper. You should see your new SP listed under Sandbox SPs with status Active.

Metadata URL tab

If your SP is publicly reachable (not localhost), you can use the URL tab instead and provide the metadata URL directly. Keycloak will fetch and parse the metadata automatically.

---

Step 3: Test SSO with the demo SP

1. Open http://localhost:8082 in your browser.
2. Click Login with ClickID.
3. Your browser is redirected to the ClickID sandbox IdP: http://localhost:8080/realms/clickid-sandbox/...
4. You will see the EU Theme login page (dark blue header, ClickID logo).
5. Enter the demo credentials:
   • Email: resident@example.nl
   • Password: Welkom12345!
6. Click Sign in. Because the demo user has no TOTP enrolled, you go directly through.
7. Keycloak generates a signed SAML Response and POSTs it to the demo SP's ACS URL.
8. The demo SP validates the response and displays the authenticated user information.

---

Step 4: Inspect the SAML assertion

The demo SP at http://localhost:8082 includes a SAML Debug view that displays:

• The raw (base64-decoded) SAML Response XML
• The parsed NameID (your sector-ID — a 24-character URL-safe string)
• Any attribute statements in the assertion
• The assertion signature status (valid/invalid)

Note the NameID value. If you log out and log back in, the same value is returned — the sector-ID is stable across sessions.

If you register a second SP and log in there, you will receive a different sector-ID for the same demo user. This is the privacy-preserving property of the Sector-ID Mapper.

---

Step 5: Promote to live

Once you are satisfied with the sandbox integration:

1. Return to the SP Portal dashboard.
2. Find your SP under Sandbox SPs and click Go live.
3. A confirmation dialog warns you that:
   • The sector-IDs in the live realm will be different from sandbox (different pepper derivation)
   • You must update your SP configuration to point at the live IdP metadata URL
4. Confirm. The portal promotes the SP to the clickid realm.
5. Your SP now appears under Live SPs.

Update your SP configuration

After promotion, update your SP's IdP metadata URL to:

https://auth.clickid.eu/realms/clickid/protocol/saml/descriptor

Or in a local dev environment:

http://localhost:8080/realms/clickid/protocol/saml/descriptor

Re-import the IdP metadata in your SP framework. The signing keys are different between realms.

Test once more with live

Repeat the login flow against your SP now pointed at the live realm. Use the same demo credentials — the demo user is seeded in both realms by seed-demo-user.sh.

You should receive a valid SAML assertion with a different sector-ID than you saw in the sandbox. This is expected and correct.

---

What to do next

• Read SAML Reference for the full list of SAML endpoints, signing details, and sample XML.
• Review Sector-ID concept if you need to understand the pseudonym derivation algorithm.
• Set up a production deployment when you are ready to go beyond local dev.