KeyCloak SSO

Available on: Enterprise Edition

Setup KeyCloak SSO

Start a KeyCloak service

If you don't have a KeyCloak server already running, you can use a managed service like Cloud IAM.

You can follow the steps described here to deploy a managed KeyCloak cluster for free.

Configure KeyCloak client

Once in KeyCloak, you would need to create a client:

alt text

Set https://{{ yourKestraInstanceURL }}/oauth/callback/keycloak as Valid redirect URIs and https://{{ yourKestraInstanceURL }}/logout as Valid post logout redirect URIs.

alt text

Kestra Configuration

yaml

micronaut:
  security:
    oauth2:
      enabled: true
      clients:
        keycloak:
          client-id: "{{ clientId }}"
          client-secret: "{{ clientSecret}}"
          openid:
            issuer: "https://{{ keyCloakServer }}/auth/realms/{{yourRealm}}"
    endpoints:
      logout:
        get-allowed: true

You can retrieve clientId and clientSecret via KeyCloak user interface

alt text

Don't forget to set a default role in your Kestra configuration to streamline the process of adding new users.

kestra:
  security:
    default-role:
      name: Editor
      description: Default Editor role
      permissions:
        FLOW: ["CREATE", "READ", "UPDATE", "DELETE"]
        EXECUTION:
          - CREATE
          - READ
          - UPDATE
          - DELETE

Note: depending of the KeyCloak configuration you might want to tune the issuer url.

For more configuration details, refer to the Keycloak OIDC configuration guide.

Was this page helpful?

How To GuidesJulia

How To GuidesSecrets from a Helm Chart

​Key​Cloak ​S​S​O

Start a KeyCloak service

Configure KeyCloak client

Kestra Configuration

KeyCloak SSO