Documentation Index
Fetch the complete documentation index at: https://docs.emergence.ai/llms.txt
Use this file to discover all available pages before exploring further.
Configure SSO with Keycloak
CRAFT uses Keycloak as its identity provider, supporting Single Sign-On (SSO) via both OIDC and SAML 2.0 protocols. This guide covers configuring SSO for enterprise identity providers including Microsoft Entra ID (Azure AD), Okta, Google Workspace, and PingFederate.Prerequisites
Before you begin, ensure you have:
- Administrative access to the Keycloak admin console
- Administrative access to your enterprise identity provider (IdP)
- The Keycloak realm ID for your organization (realm ID = organization ID)
- Network connectivity between Keycloak and the IdP (HTTPS required)
How SSO Works in CRAFT
Each organization in the platform maps to a Keycloak realm. When SSO is configured:- Users navigate to the platform login page
- Keycloak redirects to the enterprise IdP for authentication
- The IdP authenticates the user and returns claims to Keycloak
- Keycloak issues a JWT containing
org_id(from the realm) and group memberships - The platform uses the JWT for authorization via OpenFGA
Per-tenant SSO configuration means each organization can connect to a different identity provider. One organization might use Okta while another uses Entra ID.
Configure OIDC SSO
OIDC is the recommended protocol for most identity providers.- Microsoft Entra ID
- Okta
- Google Workspace
Register an application in Entra ID
- Navigate to Azure Portal > Microsoft Entra ID > App registrations > New registration
- Set the Redirect URI to:
https://<keycloak-host>/realms/<org-id>/broker/entra-id/endpoint - Note the Application (client) ID and Directory (tenant) ID
- Under Certificates & secrets, create a new client secret and note the value
Configure group claims
- In the app registration, go to Token configuration > Add groups claim
- Select Security groups and set the token type to ID
- Ensure the groups claim format is set to Group ID
Add the IdP in Keycloak
- Log in to Keycloak Admin Console
- Select the realm matching your organization ID
- Navigate to Identity Providers > Add provider > OpenID Connect v1.0
- Configure the following:
| Field | Value |
|---|---|
| Alias | entra-id |
| Authorization URL | https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize |
| Token URL | https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token |
| Client ID | Your Entra ID application client ID |
| Client Secret | Your Entra ID client secret |
| Default Scopes | openid email profile |
Configure SAML 2.0 SSO
For identity providers that prefer SAML, Keycloak supports SAML 2.0 as well.Export the Keycloak SAML descriptor
Download the SAML metadata from your Keycloak realm:Upload this XML to your IdP as the service provider metadata.
Configure the IdP
In your SAML IdP, configure the following:
| Field | Value |
|---|---|
| Entity ID | https://<keycloak-host>/realms/<org-id> |
| ACS URL | https://<keycloak-host>/realms/<org-id>/broker/<alias>/endpoint |
| Name ID format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
Just-In-Time User Provisioning
Keycloak supports JIT provisioning by default. When a user authenticates via SSO for the first time:- Keycloak creates a local user account in the realm
- User attributes (email, name) are synced from the IdP
- Group memberships are mapped from IdP claims to Keycloak groups
- OpenFGA relationships are established based on group-to-role mappings
Enforce SSO (Disable Password Login)
To require SSO for all users in an organization:- In the Keycloak admin console, select the organization’s realm
- Navigate to Authentication > Flows
- Edit the Browser flow to remove or disable the Username Password Form
- Ensure the Identity Provider Redirector is enabled and set to your SSO provider
Session Management
Configure session behavior for your organization:| Setting | Location | Description |
|---|---|---|
| SSO Session Idle | Realm Settings > Sessions | Idle timeout before re-authentication (default: 30 min) |
| SSO Session Max | Realm Settings > Sessions | Maximum session duration (default: 10 hours) |
| Remember Me | Realm Settings > Login | Allow users to extend their session |
Group-to-Role Mapping
Map IdP groups to OpenFGA roles for authorization:| IdP Group | Keycloak Group | OpenFGA Role |
|---|---|---|
Platform-Admins | admins | admin |
Developers | developers | developer |
Data-Analysts | members | member |
Viewers | viewers | viewer |
Troubleshooting
Redirect loop after SSO login
Redirect loop after SSO login
Verify the redirect URI in your IdP matches the Keycloak broker endpoint exactly, including the protocol (HTTPS) and realm ID. Check for trailing slashes.
Groups not appearing in JWT
Groups not appearing in JWT
Ensure group claims are configured in the IdP and a group mapper is set up in the Keycloak identity provider configuration. Verify the claim name matches between the IdP and the Keycloak mapper.
User created but no permissions
User created but no permissions
Groups must be mapped from the IdP through Keycloak to OpenFGA. If the group-to-role mapping pipeline is not configured, users will authenticate but have no permissions. See the Group-to-Role Mapping section above.
Next Steps
RBAC Configuration
Configure OpenFGA roles and permissions to complete the authorization setup.
Authentication Deep Dive
Learn about OIDC flows, token management, and machine-to-machine authentication.
SCIM Provisioning
Automate user provisioning with SCIM 2.0 for SOC 2 compliance.
Multi-Tenancy
Understand how SSO integrates with the multi-tenant architecture.