Skip to main content

๐Ÿ” Logging into Keycloak via SSO: Best practices for admins

๐Ÿ” Logging into Keycloak via SSO: Best practices for admins
OGordon100
Ataccamer
Forum|alt.badge.img

Hi everyone ๐Ÿ‘‹


By default, Keycloak admin access is limited to a single account with fixed credentials provided by Ataccama. But just as we recommend using SSO for logging into the Ataccama platform, itโ€™s also best practice for Keycloak administrators to log in the same wayโ€”for better security, auditability, and ease of access.
 

Hereโ€™s a quick guide to help you set up and enable SSO login for Keycloak admins ๐Ÿ‘‡
 

1๏ธโƒฃ Set up admin access in Keycloak

First, log in to your Keycloak instance using the default admin credentials at:

<your_env>/auth

Once logged in:

  • Switch to the ataccamaone realm
    AD_4nXdGEktLVQRmJnmRwOyn7QEWpomY9h8PswSmPqmH9hB3HN7iPTb727Lx7u46OIAAwj1Hi_7YyVygVrh6NID4MSq7yc7pa7a7Ll_l-cQHCRp2f2jxRw-TfEPJ3Jfu2LndY3b6Wt2jxg?key=-mqPfxmG117Z7ibtZnLYlSmw
  • Go to the Realm Roles tab
  • Decide whether to use an existing role (e.g., admin) or create a new one (e.g., Keycloak_Admin) based on your security requirements

2๏ธโƒฃ Assign the right permissions

Open the role you've selected or created:

  • Navigate to the Associated Roles tab and click Assign Role
    AD_4nXcm5xI21vZ7QJVd_w_MwEPnmq1DLaOh5Nby7HWlgElMkpXYwahvD1uEzAnWiKqsn89vpcUamZ_w0WA7Tcgw1VfsgdripvK8o1CmR2OeZ60aMFyomLuyTfv1ch2EAJ9TT4fog9GBIg?key=-mqPfxmG117Z7ibtZnLYlSmw
  • Under Filter by, select Clients
    AD_4nXcfuatXbRGEmZkMIvw9eNshcqTppZ74BvitqTJYv9pYvJ7C3XVS-j0Cp-2HyKh2P8rUZeMu9HURWfsYsgec05cRgXjM9HuyxwSTv-RY9PoZ2aLJ7i2pqARSGHadXPg4gqfvwjTsTA?key=-mqPfxmG117Z7ibtZnLYlSmw

Now assign the appropriate permissions. At a minimum, these should include:

  • manage-account
  • view-applications
  • view-profile
  • view-realm

For full admin control, we recommend including all relevant permissions for identity providers, clients, users, groups, and events. We often see first-time clients selecting all Keycloak related roles for their admins. This aligns with the personas of administrators, and makes setup/ownership easier, and is therefore a reasonable approach.


โš ๏ธ Note: The impersonation role allows an admin to act as another user. While this is logged in the Keycloak Events log, itโ€™s good to review whether this permission is necessary in your environment.
AD_4nXdAH0VUAnT8VMJ6HcxBkgDOUCn2NnfvhSRGdgih4Lw1bZckROPgVZ_4MxZsq8Jz-2gB765t7hGMBVmu8Tz54fcW5uUrDjIvnJoKnb_GfzOKT_3REh1vzm5Ew9M6wWoeD7_kwMTJRQ?key=-mqPfxmG117Z7ibtZnLYlSmw


3๏ธโƒฃ Map the role to active directory

Use your existing identity provider setup to map the selected role to your AD group. Follow your standard process or check our documentation for guidance.


4๏ธโƒฃ Logging in via SSO

To access the Keycloak admin console using SSO, donโ€™t use <env>/auth. Instead, go to:

๐Ÿ‘‰ <env>/auth/admin/ataccamaone/console/#/

This will redirect users to the standard Ataccama login page, where they can log in using SSO credentials.


Have questions or need help with configuration? Let us know in the comments below! ๐Ÿ‘‡

Reply


Community Terms of Use & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings