Skip to main content

SSO Setup in Keycloak

ℹ️ Requires an Organization plan

In this guide explains how to setup another identity provider for Single Sign On via Keycloak.

  1. Login with the keycloak admin account under SERVER_URL/auth/admin. You can find the password for the keycloak admin account in your .env file under KEYCLOAK_PASSWORD in your installation folder.

  2. Change the realm to the anchorpoint realm on the top right where Keycloak is selected by default.

    sso rleam selection

  3. Setup your Identify Provider

    1. Click on Identity providers on the right sidebar menu.
    2. Setup your identity provider:
      • OpenID Connect provider setup guide here,
      • SAML provider setup guide here
      • Azure AD provider setup guide here
      • You can also find other guides by searching for "keycloak idp <name of the idp>" on your search engine
    3. Disable showing your identity provider as additional option on the login page
      • Click on the identity provider
      • Open Advanced Settings and scroll down to Hide on login page and enable it

  4. Create a new Authentication flow for user account linking

    1. Click on Authentication on the left sidebar
    2. Click on Create flow
    3. Set the name to auto-link-browser and the description to link existing user accounts. Set the Flow type to Basic flow and click on Create
    4. Click on Add execution and choose Create User If Unique and click Add
    5. Set the Requirement of the Create User If Unique to Alternative
    6. Click Add Step and choose Automatically set existing user and click Add
    7. Set the Requirement of the Automatically set existing user to Alternative
    8. Open the created Identify Provider from step 3 and scroll down to set First login flow override to auto-link-browser and press save

    sso auto link browser flow

  5. Create another new Authentication flow for the Anchorpoint client

    1. Click on Authentication on the left sidebar
    2. Click on Create flow
    3. Set the name to ap-client-browser and the description to auth flow for Anchorpoint client browser login. Set the Flow type to Basic flow and click on Create
    4. Click on Add execution and choose Cookie and click Add
    5. Set the Requirement of the Cookie to Alternative
    6. Click Add Step and choose Identity Provider Redirector and click Add
    7. Set the Requirement of the Identity Provider Redirector to Alternative
    8. Click on the Settings icon of the Identity Provider Redirector and set Alias and Default Identity Provider to the name of the identity provider you created in step 3 and click Save

    sso ap client browser flow

  6. Overwrite the Authentication flow of the anchorpoint-desktop-client

    1. Click on Clients in the right sidebar
    2. Click on the anchorpoint-desktop-client-... client to edit it
    3. Click on the Advanced tab
    4. Scroll all the way down to Authentication flow overrides and choose ap-client-browser for Browser Flow and click on Save

  7. (Optional) enable two factor auth for the dashboard admin user in the Anchorpoint realm

    1. Setup one time password with this guide here in the Anchorpoint realm
    2. Add Configure OTP in the Required user actions for the admin user in the Anchorpoint realm

  8. (Optional) enable two factor auth for the admin user in the Keycloak master realm

    1. Create a backup admin user in the Keycloak master realm (in case something is setup wrong so you do not loose access to the Keycloak master realm)
    2. Setup one time password with this guide here in the Keyckloak master realm
    3. Add Configure OTP in the Required user actions for the admin user in the Keycloak master realm