Setup Guide for Keycloak App


Follow the following steps to configure Keycloak as IdP to achieve Keycloak SSO

Select Keycloak version:

 Keycloak Single Sign-On | miniorange img Pre-requisites : Download And Installation


  • First of all, Download Keycloak and install it.
  • Start the keycloak server based on your keycloak version. (See table below)

For the Keycloak Version 16 and below

Go to the Root Directory of keycloak bin standalone.sh

For the Keycloak Version 17 and above

Go to the Root Directory of keycloak bin kc.bat and run the below commands.
1. kc.bat build
2. kc.bat start-dev

 Keycloak Single Sign-On | miniorange img Configure Keycloak as IdP

    • Add Realm : Now login to keycloak administration console and navigate to your desired realm. You can add new realm by selecting Add Realm option.

    • Keycloak SSO - Keycloak OAuth Single Sign-On - add realm
    • Create realm: Enter Realm Name and keep the realm name handy as it will required later to configure the Realm under the plugin. Click on CREATE to add realm.

    • Keycloak SSO - Keycloak OAuth Single Sign-On - add realm
    • Create OpenID client: Click on the Clients and choose create to create a new client. Enter client id and select client protocol openeid-connect and select Save.

    • Keycloak SSO - Keycloak OAuth Single Sign-On - client id
    • Change Access type: After client is created change its access type to confidential.

    • Keycloak SSO - Keycloak OAuth Single Sign-On - change access type
    • Enter Valid Redirect URIs: Copy callback URL from plugin and then click on SAVE. Ex -- https:///oauth/callback

    • Keycloak SSO - Keycloak OAuth Single Sign-On - change access type
    • Get Client Secret: Now we need to get client secret. So select Clients and select credentials and copy your secret from here.

    • Keycloak SSO - Keycloak OAuth Single Sign-On - client id client secret
    • Plugin Configuration: Enter copied Client Secret under Client secret field in the OAuth Client plugin, and enter the Client Name under the Client ID field.
    • Add User: We need to add users to realm who will be able to access the resources of realm. Click on the Users and choose to Add a new User.

    • Keycloak SSO - Keycloak OAuth Single Sign-On - add user
    • User Configuration: After user is created following action needs to be performed on it.
      • 1) Setting a password for it so click on Credentials and set a new Password for the user.


      Keycloak SSO - Keycloak OAuth Single Sign-On - set password

      NOTE : Disabling Temporary will make user password permanent.

    • Map User: We need to map user to a role. Click on Role Mappings and assign the user desired role from available roles and clicking on add selected.

    • Keycloak SSO - Keycloak OAuth Single Sign-On - map user
    • Create ROLE: The Role will be used by your applications to define which users will be authorized to access the application. Click on the Roles and choose Add Role.

    • Keycloak SSO - Keycloak OAuth Single Sign-On - add role

      Step 1.1: Steps to fetch Keycloak Groups [Premium]

      • Create groups: Click on the Groups and choose New to create a new group.

      • Keycloak SSO - Keycloak OAuth Single Sign-On - create group
      • Assign user to group: Select the user whom you want to add in group. Choose Groups option from tab and then select the group-name and click on join.

      • Keycloak SSO - Keycloak OAuth Single Sign-On - assign group
      • Keycloak Group Mapper: Now to get group details we need to perform its client mapping with group membership else group details will not be fetched. So in Client section, select your client and then click on mapper->create.

      • Keycloak SSO - Keycloak OAuth Single Sign-On - group mapper
        Keycloak SSO - Keycloak OAuth Single Sign-On - group mapper
      • Now, select mapper type as Group Membership and enter the name and token claim name i.e the attribute name corresponding to which groups will be fetched. Turn Off the full group path, Add to ID token and Add to access token options, and click on Save.

      • Keycloak SSO - Keycloak OAuth Single Sign-On - group mapper

        Note: -- If full path is on group path will be fetched else group name will be fetched.

      Step 1.2: Steps to fetch Keycloak Roles [Premium]

      • Keycloak Role Mapper: Now to get role details we need to perform its client mapping with role membership else role details will not be fetched. So in Client section, select your client and then click on mapper->create.

      • Keycloak SSO - Keycloak OAuth Single Sign-On - group mapper
        Keycloak SSO - Keycloak OAuth Single Sign-On - group mapper
      • Now, select mapper type as user realm Role Membership and enter the name. and token claim name i.e the attribute name corresponding to which groups will be fetched. Add to ID token and Add to access token options, and click on Save.

      • Keycloak SSO - Keycloak OAuth Single Sign-On - group mapper
    • Add Realm : Now login to keycloak administration console and navigate to your desired realm. You can add new realm by selecting Create Realm option.

    • Keycloak SSO - Keycloak OAuth Single Sign-On - Add realm
    • Create realm: Enter Realm Name and keep the realm name handy as it will required later to configure the Realm under the OAuth Client plugin. Click on CREATE to add realm.

    • Keycloak SSO - Keycloak OAuth Single Sign-On - Create realm
    • Create OpenID client: Click on the Clients and choose Create Client to create a new client. Enter Client id and select client protocol openeid-connect and Click Next.

    • Keycloak SSO - Keycloak OAuth Single Sign-On - Create client
      Keycloak SSO - Keycloak OAuth Single Sign-On - Add client id
    • Enable the Client Authentication and Authorization toggle.

    • Keycloak SSO - Keycloak OAuth Single Sign-On - Enable toggle
    • Scroll down to the Access settings and enter your Callback/Redirect URL which you will get from your plugin present on your Client side under the CallBack URLs text-field.

    • Keycloak SSO - Keycloak OAuth Single Sign-On - callback url
    • Go to the Credentials tab, copy the Client Secret and keep it handy as we will require it later while configuring plugin.

    • Keycloak SSO - Keycloak OAuth Single Sign-On - Copy client secret
    • Plugin Configuration: Enter copied Client Secret under Client secret field in the OAuth Client plugin, and enter the Client ID under the Client ID field.
    • Add User: We need to add users to realm who will be able to access the resources of realm. Click on the Users and Click on Create new user to Add a new User.

    • Keycloak SSO - Keycloak OAuth Single Sign-On - Add user
    • User Configuration: After user is created following action needs to be performed on it.
      • 1) Setting a password for it so click on Credentials and set a new Password for the user.


      Keycloak SSO - Keycloak OAuth Single Sign-On - set password

      NOTE : Disabling Temporary will make user password permanent.

    • Map User: We need to map user to a role. Click on Role Mappings and assign the user desired role from available roles.

    • Keycloak SSO - Keycloak OAuth Single Sign-On - map user
    • Create ROLE: The Role will be used by your applications to define which users will be authorized to access the application. Click on the Roles and choose Create Role.

    • Keycloak SSO - Keycloak OAuth Single Sign-On - add role
    • Add Realm : Now login to keycloak administration console and navigate to your desired realm. You can add new realm by selecting Create Realm option.

    • Keycloak SSO - Keycloak OAuth Single Sign-On - Add realm
    • Create realm: Enter Realm Name and keep the realm name handy as it will required later to configure the Realm under the OAuth Client plugin. Click on CREATE to add realm.

    • Keycloak SSO - Keycloak OAuth Single Sign-On - Create realm
    • Create OpenID client: Click on the Clients and choose Create Client to create a new client. Enter Client id and select client protocol openeid-connect and Click Next.

    • Keycloak SSO - Keycloak OAuth Single Sign-On - Create client
      Keycloak SSO - Keycloak OAuth Single Sign-On - Add client id
    • Enable the Client Authentication and Authorization toggle.

    • Keycloak SSO - Keycloak OAuth Single Sign-On - Enable toggle
    • Scroll down to the Access settings and enter your Callback/Redirect URL which you will get from your plugin present on your Client side under the CallBack URLs text-field.

    • Keycloak SSO - Keycloak OAuth Single Sign-On - callback url
    • Go to the plugin and copy the Client Secret and keep it handy as we will require it later while configuring plugin.

    • Keycloak SSO - Keycloak OAuth Single Sign-On - Copy client secret
    • Plugin Configuration: Enter copied Client Secret under Client secret field in the plugin, and enter the Client ID under the Client ID field.
    • Add User: We need to add users to r+ealm who will be able to access the resources of realm. Click on the Users and Click on Create new user to Add a new User.

    • Keycloak SSO - Keycloak OAuth Single Sign-On - Add user
    • User Configuration: After user is created following action needs to be performed on it.
      • 1) Setting a password for it so click on Credentials and set a new Password for the user.


      Keycloak SSO - Keycloak OAuth Single Sign-On - set password

      NOTE : Disabling Temporary will make user password permanent.

    • Map User: We need to map user to a role. Click on Role Mappings and assign the user desired role from available roles.

    • Keycloak SSO - Keycloak OAuth Single Sign-On - map user