# Keycloak SSO Authentication in Redpanda Console

> For the complete documentation index, see [llms.txt](https://docs.redpanda.com/llms.txt). Component-specific: [streaming-full.txt](https://docs.redpanda.com/streaming-full.txt)

---
title: Keycloak SSO Authentication in Redpanda Console
latest-operator-version: v26.1.4
# EOL = End-of-Life (support lifecycle status)
page-is-nearing-eol: "false"
page-is-past-eol: "true"
page-eol-date: July 31, 2025
latest-console-tag: v3.7.3
latest-connect-version: 4.93.0
docname: config/security/keycloak
page-component-name: streaming
page-version: "24.2"
page-component-version: "24.2"
page-component-title: Streaming
page-relative-src-path: config/security/keycloak.adoc
page-edit-url: https://github.com/redpanda-data/docs/edit/v/24.2/modules/console/pages/config/security/keycloak.adoc
description: Integrate Redpanda Console with Keycloak to allow your users to use their Keycloak identities to sign-in to Console.
page-git-created-date: "2024-09-11"
page-git-modified-date: "2024-09-11"
support-status: past end-of-life
---

<!-- Source: https://docs.redpanda.com/streaming/24.2/console/config/security/keycloak.md -->

> 📝 **NOTE**
>
> This section pertains to Redpanda Console in a self-managed deployment, and this feature requires an [Enterprise license](https://docs.redpanda.com/streaming/24.2/get-started/licenses/). To upgrade, contact [Redpanda sales](https://redpanda.com/try-redpanda?section=enterprise-trial).

By integrating Redpanda Console with Keycloak, your users can sign in to Redpanda Console using their Keycloak login credentials.

## [](#prerequisites)Prerequisites

You must:

-   Install Keycloak and create a super admin user account, which has permissions for setting up an OAuth application. For details, see the [Keycloak documentation](https://www.keycloak.org/guides).

-   Create an OpenID Connect (OIDC) client. For details, see the [Keycloak documentation](https://www.keycloak.org/docs/latest/server_admin/index.html#proc-creating-oidc-client_server_administration_guide).

    Provide the following inputs when you are asked for them:

    -   **Client type**: OpenID Connect

    -   **Client ID**: Enter a alphanumeric that the Keycloak database can use to identify the client

    -   **Name**: Enter any name for the client

    -   **Valid Redirect URIs**: Enter the domain where Redpanda Console is hosted followed by the `/login/callbacks/keycloak` path. For example, `https://console.<your-company>.com/login/callbacks/keycloak` or `https://localhost:8080/login/callbacks/keycloak`.

    -   (Optional) Create at least one realm for managing and authenticating a specific group of users

        > 📝 **NOTE**
        >
        > You can use the master realm, or you can create a realm for managing and authenticating a specific group of users.

        > ❗ **IMPORTANT**
        >
        > Copy the client ID and client secret. The [console configuration file](#edit-the-console-configuration-file) uses these credentials to establish communication with Keycloak.



## [](#edit-the-console-configuration-file)Edit the console configuration file

Edit the console configuration file associated with your deployment method and incorporate the details from your client application. For example, Kubernetes deployments use the `values.yaml` file. Linux deployments use the `redpanda-console-config.yaml` file, which is in `/etc/redpanda`.

```yaml
login:
  enabled: true

  # jwtSecret is the secret key you must use to sign and encrypt the JSON
  # web token used to store user sessions. This secret key is
  # critical for the security of Redpanda Console's authentication and
  # authorization system. Use a long, complex key with a combination of
  # numbers, letters, and special characters. The minimum number of
  # characters is 10, but Redpanda recommends using more than 32
  # characters. For additional security, use a different secret key for
  # each environment. jwtSecret can be securely generated with the following
  # command: LC_ALL=C tr -dc '[:alnum:]' < /dev/random | head -c32
  #
  # If you update this secret key, any users who are
  # already logged in to Redpanda Console will be logged out and will have
  # to log in again.
  jwtSecret: ""

  keycloak:
    enabled: true
    url: https://keycloak.internal.company.com
    # Replace with the actual realm name.
    realm: <realm-name>

    clientId: ""
    clientSecret: ""

    # The directory configuration is only required if you want to
    # use Keycloak groups in your role bindings.
    # This is described further in the next section.
    # directory:
    #   adminUser: ""
    #   adminPassword: ""
```

## [](#rbac-keycloak-groups-sync)RBAC Keycloak groups sync

To bind roles to Keycloak groups, you must specify admin user credentials, which are used to resolve group memberships when communicating with Keycloak’s API. These credentials must be the same ones that are used to log in to the Keycloak admin panel, and they must be associated with the realm where the group memberships will be resolved.

```yaml
login:
  keycloak:
    directory:
      adminUser: ""
      adminPassword: ""
```

## [](#define-role-bindings)Define role-bindings

When you set up the Keycloak login configuration, you can bind Keycloak users or groups to roles. Following is a sample role binding:

```yaml
roleBindings:
  - metadata:
      name: Developers
    subjects:
      - kind: group
        provider: Keycloak
        name: 55e999ff-7923-4750-b2e1-7387768958a0 # Group ID
      - kind: user
        provider: Keycloak
        name: martin # Keycloak login / username
    roleName: editor
```

## Suggested labs

-   [Enable Unified Identity with Azure Entra ID for Redpanda and Redpanda Console](https://docs.redpanda.com/labs/docker-compose/oidc/)

[Search all labs](https://docs.redpanda.com/labs)