Administrators configure Single Sign-On (SSO) using Keycloak for seamless user authentication across the organization.
Single Sign-On Configuration:
Single Sign-On Configuration:
Provider: Keycloak
Realm: elementrix
Client ID: elementrix-platform
Authentication Flow:
☑ OAuth 2.0
☑ OpenID Connect (OIDC)
☑ PKCE (Proof Key for Code Exchange)
☐ SAML 2.0
Endpoints:
Authorization URL:
https://keycloak.company.com/auth/realms/elementrix/protocol/openid-connect/auth
Token URL:
https://keycloak.company.com/auth/realms/elementrix/protocol/openid-connect/token
UserInfo URL:
https://keycloak.company.com/auth/realms/elementrix/protocol/openid-connect/userinfo
Logout URL:
https://keycloak.company.com/auth/realms/elementrix/protocol/openid-connect/logout
JWKS URL:
https://keycloak.company.com/auth/realms/elementrix/protocol/openid-connect/certs
Client Settings:
Client Secret: [••••••••••] [Regenerate] [Copy]
Access Type: Confidential
Standard Flow Enabled: ☑ Yes
Direct Access Grants: ☑ Yes
Implicit Flow: ☐ No (not recommended)
Redirect URIs:
☑ https://elementrix.company.com/*
☑ https://staging.elementrix.company.com/*
☑ http://localhost:4200/* (development only)
Web Origins:
☑ https://elementrix.company.com
☑ https://staging.elementrix.company.com
☑ http://localhost:4200 (development)
Valid Post Logout Redirect URIs:
☑ https://elementrix.company.com/*
☑ https://staging.elementrix.company.com/*
Session Settings:
Session Timeout: [8] hours
Session Idle Timeout: [30] minutes
Refresh Token Lifetime: [24] hours
Access Token Lifespan: [15] minutes
Remember Me: ☑ Enabled
Remember Me Duration: [30] days
Offline Access: ☑ Enabled (for mobile apps)
[Test SSO] [Save Configuration] [Export Settings]
OAuth 2.0 Scopes:
Configure OAuth Scopes:
Requested Scopes:
☑ openid (required - OpenID Connect)
☑ profile (user profile information)
☑ email (email address)
☑ roles (user roles)
☐ offline_access (refresh tokens for offline access)
☐ phone (phone number)
☐ address (physical address)
Custom Scopes:
☑ elementrix:read (read access to Elementrix resources)
☑ elementrix:write (write access to Elementrix resources)
☑ elementrix:admin (admin access)
Scope Mapping:
User Information:
- openid → Sub (user ID)
- profile → Name, given_name, family_name
- email → email, email_verified
- roles → realm_roles, client_roles
[Save Scope Configuration]
Token Configuration:
Token Settings:
Access Token:
Lifespan: [15] minutes
Type: JWT (JSON Web Token)
Algorithm: RS256
Include in Token:
☑ User ID (sub)
☑ Email (email)
☑ Name (name)
☑ Roles (roles)
☑ Custom Claims: [department, job_title]
Refresh Token:
Lifespan: [24] hours
Reuse: ☐ Allow (not recommended)
Rotation: ☑ Enable (issue new token on refresh)
ID Token:
Lifespan: [15] minutes
Include Claims:
☑ Standard claims (sub, name, email)
☑ Custom claims (department, job_title)
[Save Token Configuration] [Preview Token]
Configure External Identity Providers:
External Identity Providers:
Purpose: Allow users to authenticate using external identity providers
Configured Providers:
┌────────────────────────────────────────────────┐
│ 1. Corporate Active Directory │
│ Status: ✓ Active │
│ Type: LDAP │
│ Users: 1,247 │
│ Last Sync: 2025-01-25 12:00 UTC │
│ [Configure] [Test] [Disable] │
├────────────────────────────────────────────────┤
│ 2. Google Workspace │
│ Status: ✓ Active │
│ Type: OpenID Connect │
│ Domain: company.com │
│ Users: 342 │
│ [Configure] [Test] [Disable] │
├────────────────────────────────────────────────┤
│ 3. Microsoft Azure AD │
│ Status: ⚠️ Inactive │
│ Type: SAML 2.0 │
│ Last Test: Never │
│ [Setup] [Configure] [Enable] │
├────────────────────────────────────────────────┤
│ 4. Okta │
│ Status: ⚠️ Inactive │
│ Type: OpenID Connect │
│ [Setup] [Configure] │
└────────────────────────────────────────────────┘
[Add Provider] [Import Configuration] [Export Settings]
Add Identity Provider - Google Workspace:
Add Identity Provider: Google Workspace
Provider Type:
☑ Google
☐ Microsoft Azure AD
☐ Okta
☐ GitHub
☐ Custom OIDC
☐ Custom SAML
Provider Configuration:
Display Name: [Google Workspace]
Alias: [google]
Enabled: ☑ Yes
Client ID: [your-client-id.apps.googleusercontent.com]
Client Secret: [••••••••••]
Hosted Domain: [company.com]
(Only allow users from this domain)
OAuth Configuration:
Authorization URL: (auto-filled)
Token URL: (auto-filled)
Default Scopes: openid profile email
User Information:
Username Template: ${ALIAS}-${CLAIM.email}
Email Claim: email
First Name Claim: given_name
Last Name Claim: family_name
Trust Settings:
☑ Trust Email (from provider)
☑ Store Tokens
☐ Account Linking: Automatically link to existing account
Advanced:
☑ GUI Order: 1
☐ Hide on Login Page
☑ First Login Flow: Review Profile
[Test Configuration] [Save] [Cancel]
Add Identity Provider - Azure AD (SAML):
Add Identity Provider: Microsoft Azure AD
Provider Type: SAML 2.0
Provider Configuration:
Display Name: [Microsoft Azure AD]
Alias: [azure-ad]
Enabled: ☑ Yes
SAML Configuration:
Single Sign-On Service URL:
https://login.microsoftonline.com/[tenant-id]/saml2
Single Logout Service URL:
https://login.microsoftonline.com/[tenant-id]/saml2
Entity ID (Issuer):
https://sts.windows.net/[tenant-id]/
Certificate (X.509):
[Upload Certificate] or [Paste PEM]
☑ Validate Signature
☑ Want AuthN Requests Signed
SAML Attribute Mapping:
Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
First Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Last Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Username Template: ${ATTRIBUTE.email}
[Download SP Metadata] [Test SAML] [Save] [Cancel]
Login Page Branding:
Login Page Customization:
Theme Selection:
☑ Custom Theme (company branding)
☐ Default Keycloak Theme
☐ Base Theme
Theme Settings:
Logo: [Upload] (200x60px)
Background Image: [Upload] (1920x1080px)
Primary Color: [#3B82F6]
Button Color: [#3B82F6]
Link Color: [#2563EB]
Login Options Display:
☑ Show username/password form
☑ Show social login buttons
☑ Show "Remember Me" checkbox
☑ Show "Forgot Password?" link
☑ Show "Register" link
Social Login Buttons Order:
1. ☑ Google Workspace
2. ☑ Microsoft Azure AD
3. ☐ Okta
4. ☐ GitHub
Welcome Text:
[Welcome to Elementrix
Sign in with your company credentials]
Footer Links:
☑ Privacy Policy: [https://company.com/privacy]
☑ Terms of Service: [https://company.com/terms]
☑ Support: [support@company.com]
[Preview Login Page] [Save Theme] [Reset to Default]
Multi-Factor Authentication:
Multi-Factor Authentication (MFA):
MFA Policy:
☑ Required for all users
☐ Required for admins only
☐ Optional (user choice)
☐ Disabled
Supported MFA Methods:
☑ TOTP (Time-based One-Time Password)
Apps: Google Authenticator, Authy, Microsoft Authenticator
☑ SMS (Text Message)
Provider: [Twilio]
[Configure SMS Provider]
☐ Email (One-Time Code)
Send code via email
☐ Hardware Token (YubiKey, etc.)
[Configure FIDO2]
MFA Settings:
OTP Length: [6] digits
Time Period: [30] seconds
Look Ahead Window: [1]
Grace Period:
☑ Allow grace period after login
Duration: [7] days
(User can opt to trust device for 7 days)
Recovery Codes:
☑ Generate recovery codes
Number of Codes: [10]
Single Use: ☑ Yes
[Save MFA Configuration] [Test MFA]
Federation Settings:
User Federation Configuration:
Purpose: Sync users from external systems into Keycloak
Federation Providers:
┌────────────────────────────────────────────────┐
│ LDAP Federation │
│ Status: ✓ Active │
│ Priority: 0 (highest) │
│ Sync: Every 6 hours │
│ Users: 1,247 │
│ [Configure] [Sync Now] │
├────────────────────────────────────────────────┤
│ Custom User Storage │
│ Status: ⚠️ Inactive │
│ [Setup] │
└────────────────────────────────────────────────┘
Federation Priority:
1. LDAP (priority 0) - Try first
2. Local Keycloak Database (built-in)
[Add Provider] [Reorder Priority]
Session Configuration:
Session Management:
SSO Session Settings:
SSO Session Idle: [30] minutes
SSO Session Max: [10] hours
SSO Session Idle Remember Me: [7] days
SSO Session Max Remember Me: [30] days
Offline Session Settings:
Offline Session Idle: [30] days
Offline Session Max: Enabled
Client Session Settings:
Client Session Idle: [15] minutes
Client Session Max: [8] hours
Login Settings:
Login Timeout: [5] minutes
Login Action Timeout: [5] minutes
Revocation:
☑ Revoke Refresh Token
☑ Admin URL for Client Logout
Active Sessions:
Current Active Sessions: 847
[View All Sessions] [Revoke All Sessions]
[Save Session Configuration]
Session Monitoring:
Active Sessions:
Filter:
- User: [All Users]
- Client: [All Clients]
- IP Address: [Any]
- Started: [Last 24 hours]
Active Sessions (847):
┌────────────────────────────────────────────────┐
│ User: john.doe@company.com │
│ Client: elementrix-platform │
│ Started: 2025-01-25 08:30 UTC │
│ Last Access: 2025-01-25 14:25 UTC │
│ IP: 192.168.1.100 │
│ [View Details] [Logout User] │
├────────────────────────────────────────────────┤
│ User: jane.smith@company.com │
│ Client: elementrix-platform │
│ Started: 2025-01-25 09:15 UTC │
│ Last Access: 2025-01-25 14:20 UTC │
│ IP: 192.168.1.101 │
│ [View Details] [Logout User] │
└────────────────────────────────────────────────┘
[Export Session List] [Revoke Selected] [Logout All]
Test Authentication Flow:
Test SSO Configuration:
Step 1: Initiate Login
✓ Redirect to Keycloak login page
✓ Login page loads successfully
✓ Branding displayed correctly
Step 2: Authenticate
Username: [test.user@company.com]
Password: [••••••••]
✓ Credentials accepted
✓ MFA challenge presented
✓ MFA code verified
Step 3: Authorization
✓ User consents to scopes (if required)
✓ Authorization code generated
Step 4: Token Exchange
✓ Access token issued
✓ Refresh token issued
✓ ID token issued
Step 5: User Info
✓ User profile retrieved
✓ Roles mapped correctly
✓ Custom claims present
Step 6: Application Access
✓ Redirected to Elementrix
✓ Session created
✓ User logged in successfully
Result: ✓ All Tests Passed
[View Token Details] [Test Again] [Export Results]
Token Validation:
Validate Token:
Access Token (Decoded):
{
"sub": "550e8400-e29b-41d4-a716-446655440000",
"email": "test.user@company.com",
"email_verified": true,
"name": "Test User",
"given_name": "Test",
"family_name": "User",
"roles": ["REGULAR_DEFAULT_USER", "Finance Data Steward"],
"department": "Finance",
"job_title": "Senior Analyst",
"iss": "https://keycloak.company.com/auth/realms/elementrix",
"aud": "elementrix-platform",
"exp": 1706191845,
"iat": 1706190945,
"azp": "elementrix-platform"
}
Validation:
✓ Signature valid
✓ Issuer matches configuration
✓ Audience matches client ID
✓ Token not expired
✓ All required claims present
[Copy Token] [Refresh Token] [Revoke Token]
Login Redirect Loop:
Issue: Users stuck in redirect loop
Possible Causes:
1. Cookie Issues
- Clear browser cookies
- Check cookie domain settings
- Verify SameSite cookie policy
2. Redirect URI Mismatch
- Verify redirect URI in Keycloak matches application
- Check for trailing slashes
- Ensure protocol matches (http vs https)
3. Session Issues
- Clear Keycloak sessions
- Check session timeout settings
[Clear Sessions] [Verify Configuration] [View Logs]
Token Validation Fails:
Issue: Application rejects tokens
Possible Causes:
1. Clock Skew
- Synchronize server clocks
- Check NTP configuration
2. JWKS Issues
- Verify JWKS URL accessible
- Check public key configuration
3. Audience Mismatch
- Verify client ID matches audience claim
[Test Token] [Sync Clocks] [View Error Logs]
Configuration:
Monitoring:
Optimization:
Regular Tasks: