Keycloak

Community-contributed integration

This integration is community-maintained and is not part of Ory Polis's officially supported SSO providers. You configure it through the generic OIDC walkthrough (recommended) or the generic SAML SP. Reference: ory/integrates/enterprise-sso/keycloak.

Keycloak is an open-source, CNCF-graduated IAM server that speaks SAML 2.0, OIDC, and OAuth 2.0. It is a common choice for self-hosted IdP deployments.

Set up (OIDC, recommended)

1. In Keycloak, go to Admin → Clients → Create client and select OpenID Connect with the Confidential access type.
2. Set the valid redirect URI to the Polis ACS URL.
3. Note the client ID and secret.
4. The issuer URL follows the pattern https://<keycloak-host>/realms/<realm-name>. Polis discovers it automatically through /.well-known/openid-configuration.
5. In Ory Network, configure the connection through the generic OIDC walkthrough.

Group claims require an explicit Group Membership mapper on the client's dedicated client scope.

Resources

• Keycloak documentation
• Ory Polis SSO providers
• Reference: ory/integrates/enterprise-sso/keycloak