KeyCloak SSO​Key​Cloak ​S​S​O

Available on: Enterprise Edition

Setup KeyCloak SSO

Start a KeyCloak service

If you don't have a KeyCloak server already running, you can use a managed service like Cloud IAM.

You can follow the steps described here to deploy a managed KeyCloak cluster for free.

Configure KeyCloak client

Once in KeyCloak, you would need to create a client:

alt textalt text

Set https://{{ yourKestraInstanceURL }}/oauth/callback/keycloak as Valid redirect URIs and https://{{ yourKestraInstanceURL }}/logout as Valid post logout redirect URIs.

alt text

Kestra Configuration

yaml
micronaut:
  security:
    oauth2:
      enabled: true
      clients:
        keycloak:
          client-id: "{{ clientId }}"
          client-secret: "{{ clientSecret}}"
          openid:
            issuer: "https://{{ keyCloakServer }}/auth/realms/{{yourRealm}}"
    endpoints:
      logout:
        get-allowed: true

You can retrieve clientId and clientSecret via KeyCloak user interface

alt textalt text

Don't forget to set a default role in your Kestra configuration to streamline the process of adding new users.

kestra:
  security:
    default-role:
      name: Editor
      description: Default Editor role
      permissions:
        FLOW: ["CREATE", "READ", "UPDATE", "DELETE"]
        EXECUTION:
          - CREATE
          - READ
          - UPDATE
          - DELETE

Note: depending of the KeyCloak configuration you might want to tune the issuer url.

For more configuration details, refer to the Keycloak OIDC configuration guide.

Was this page helpful?