SSO With Keycloak

This guide provides step-by-step instructions on how to configure single sign-on (SSO) with Keycloak. You already use Keycloak to conveniently manage permissions to applications. After SSO configuration is complete, you’ll also be able to use Keycloak to manage permissions to your Datasources.

Steps #

1. In your Keycloak admin console, go to the Clients section and click Create to add a client.
2. On the Add Client page, enter basic information and then save:
   1. Client ID: Enter a name like StrongDM.
   2. Client Protocol: Select openid-connect.
   3. Root URL: Enter the appropriate URL depending on your tenant’s location:
      https://app.strongdm.com

      https://app.uk.strongdm.com

      https://app.eu.strongdm.com

      

3. On the Settings tab, do the following:
   1. Ensure that Client Protocol is openid-connect.
   2. Set Access Type to confidential.
   3. Under Valid Redirect URIs, add the following URLS depending on the tenant location:
      https://app.strongdm.com/auth/return

      https://app.uk.strongdm.com/auth/return

      https://app.eu.strongdm.com/auth/return
   4. Other fields are optional and can be set as you prefer. When done, click Save.

      

4. On the Credentials tab, copy the Secret value. You will need this in the next step.

   

5. Next, enter the account details in the StrongDM Admin UI. Go to Settings > User Management. In the Single Sign-on section, set the following:
   1. Provider: Select Keycloak.
   2. Single sign-on URL: Add your URL (add /auth/realms/<REALM_NAME> to your Keycloak base URL).
   3. Client ID: Enter your client ID.
   4. Client Secret: Paste the secret that you copied previously.
6. Select your desired general SSO settings and click activate.

   

7. Verify that all users in StrongDM exist in Keycloak.