Configure KeyCloak SSO in Kestra

Available on: Enterprise Edition

Setup KeyCloak SSO to manage authentication for users.

Start a KeyCloak service

If you don't have a KeyCloak server already running, you can use a managed service like Cloud IAM.

You can follow the steps described here to deploy a managed KeyCloak cluster for free.

Configure KeyCloak client

Once in KeyCloak, you would need to create a client:

alt text

Set https://{{ yourKestraInstanceURL }}/oauth/callback/keycloak as Valid redirect URIs and https://{{ yourKestraInstanceURL }}/logout as Valid post logout redirect URIs.

alt text

Kestra Configuration

yaml

micronaut:
  security:
    oauth2:
      enabled: true
      clients:
        keycloak:
          client-id: "{{clientId}}"
          client-secret: "{{clientSecret}}"
          openid:
            issuer: "https://{{keyCloakServer}}/auth/realms/{{yourRealm}}"
    endpoints:
      logout:
        get-allowed: true

You can retrieve clientId and clientSecret via KeyCloak user interface

alt text

Don't forget to set a default role in your Kestra configuration to streamline the process of adding new users.

text

kestra:
  security:
    defaultRole:
      name: Editor
      description: Default Editor role
      permissions:
        FLOW: ["CREATE", "READ", "UPDATE", "DELETE"]
        EXECUTION:
          - CREATE
          - READ
          - UPDATE
          - DELETE

Note: depending of the KeyCloak configuration you might want to tune the issuer url.

For more configuration details, refer to the Keycloak OIDC configuration guide.

Was this page helpful?

How To GuidesRun Julia inside of your Flows

How To GuidesSet Up Secrets from a Helm Chart

​Configure ​Key​Cloak ​S​S​O in ​Kestra

Start a KeyCloak service

Configure KeyCloak client

Kestra Configuration

Configure KeyCloak SSO in Kestra