SSO With Keycloak

Last modified on July 2, 2024

This guide provides step-by-step instructions on how to configure single sign-on (SSO) with Keycloak. You already use Keycloak to conveniently manage permissions to applications. After SSO configuration is complete, you’ll also be able to use Keycloak to manage permissions to your Datasources.


  1. In your Keycloak admin console, go to the Clients section and click Create to add a client.
  2. On the Add Client page, enter basic information and then save:
    1. Client ID: Enter a name like StrongDM.
    2. Client Protocol: Select openid-connect.
    3. Root URL: Enter
      Configure credentials
      Configure credentials
  3. On the Settings tab, do the following:
    1. Ensure that Client Protocol is openid-connect.
    2. Set Access Type to confidential.
    3. Under Valid Redirect URIs, add the following URLS: and
    4. Other fields are optional and can be set as you prefer. When done, click Save.
      Enter details
      Enter details
  4. On the Credentials tab, copy the Secret value. You will need this in the next step.
    Record client secret
    Record client secret
  5. Next, enter the account details in the StrongDM Admin UI. Go to Settings > User Management. In the Single Sign-on section, set the following:
    1. Provider: Select Keycloak.
    2. Single sign-on URL: Add your URL (add /auth/realms/<REALM_NAME> to your Keycloak base URL).
    3. Client ID: Enter your client ID.
    4. Client Secret: Paste the secret that you copied previously.
  6. Select your desired general SSO settings and click activate.
    Configure Keycloak in StrongDM
    Configure Keycloak in StrongDM
  7. Verify that all users in StrongDM exist in Keycloak.