Docs Self-Managed Manage Redpanda Console Configuration Security Authentication Keycloak You are viewing the Self-Managed v24.3 beta documentation. We welcome your feedback at the Redpanda Community Slack #beta-feedback channel. To view the latest available version of the docs, see v24.2. Keycloak SSO Authentication in Redpanda Console This section pertains to Redpanda Console in a self-managed deployment, and this feature requires an Enterprise license. To upgrade, contact Redpanda sales. If Redpanda Console has enterprise features enabled and it cannot find a valid license either in its local configuration or in the connected Redpanda cluster, it shuts down. By integrating Redpanda Console with Keycloak, your users can sign in to Redpanda Console using their Keycloak login credentials. Prerequisites You must: Install Keycloak and create a super admin user account, which has permissions for setting up an OAuth application. For details, see the Keycloak documentation. Create an OpenID Connect (OIDC) client. For details, see the Keycloak documentation. Provide the following inputs when you are asked for them: Client type: OpenID Connect Client ID: Enter a alphanumeric that the Keycloak database can use to identify the client Name: Enter any name for the client Valid Redirect URIs: Enter the domain where Redpanda Console is hosted followed by the /login/callbacks/keycloak path. For example, https://console.<your-company>.com/login/callbacks/keycloak or https://localhost:8080/login/callbacks/keycloak. (Optional) Create at least one realm for managing and authenticating a specific group of users You can use the master realm, or you can create a realm for managing and authenticating a specific group of users. Copy the client ID and client secret. The console configuration file uses these credentials to establish communication with Keycloak. Edit the console configuration file Edit the console configuration file associated with your deployment method and incorporate the details from your client application. For example, Kubernetes deployments use the values.yaml file. Linux deployments use the redpanda-console-config.yaml file, which is in /etc/redpanda. login: enabled: true # jwtSecret is the secret key you must use to sign and encrypt the JSON # web token used to store user sessions. This secret key is # critical for the security of Redpanda Console's authentication and # authorization system. Use a long, complex key with a combination of # numbers, letters, and special characters. The minimum number of # characters is 10, but Redpanda recommends using more than 32 # characters. For additional security, use a different secret key for # each environment. jwtSecret can be securely generated with the following # command: LC_ALL=C tr -dc '[:alnum:]' < /dev/random | head -c32 # # If you update this secret key, any users who are # already logged in to Redpanda Console will be logged out and will have # to log in again. jwtSecret: "" keycloak: enabled: true url: https://keycloak.internal.company.com # Replace with the actual realm name. realm: <realm-name> clientId: "" clientSecret: "" # The directory configuration is only required if you want to # use Keycloak groups in your role bindings. # This is described further in the next section. # directory: # adminUser: "" # adminPassword: "" RBAC Keycloak groups sync To bind roles to Keycloak groups, you must specify admin user credentials, which are used to resolve group memberships when communicating with Keycloak’s API. These credentials must be the same ones that are used to log in to the Keycloak admin panel, and they must be associated with the realm where the group memberships will be resolved. login: keycloak: directory: adminUser: "" adminPassword: "" Define role-bindings When you set up the Keycloak login configuration, you can bind Keycloak users or groups to roles. Following is a sample role binding: roleBindings: - metadata: name: Developers subjects: - kind: group provider: Keycloak name: 55e999ff-7923-4750-b2e1-7387768958a0 # Group ID - kind: user provider: Keycloak name: martin # Keycloak login / username roleName: editor Suggested labs Enable Plain Login Authentication for Redpanda ConsoleSearch all labs Back to top × Simple online edits For simple changes, such as fixing a typo, you can edit the content directly on GitHub. Edit on GitHub Or, open an issue to let us know about something that you want us to change. Open an issue Contribution guide For extensive content updates, or if you prefer to work locally, read our contribution guide . Was this helpful? thumb_up thumb_down group Ask in the community mail Share your feedback group_add Make a contribution Google Okta