What should you do to set up SSO with Keycloack:

  1. Open Configurations tab on your left and go to SSO settings tab, move the switch to On;
  2. Open your account in Keycloack, choose an existing realm or add a new one. 
  3. Go to Configure —> Clients and create a new one:
    • Go back to the SSO setting tab in Precoro, copy Entity ID and paste it to the Client ID field
    • Change Client Protocol to saml
    • Copy ACS from your SSO configuration tab in Precoro and paste it in the Client SAML Endpoint field
  4. Change settings of a new client:
    • Turn on Sign Assertions
    • Root and Base URL must be https://precoro.com/
    • Go to the SSO setting tab in Precoro, copy ACS and paste it to ACS POST Binding URL field
    • To fill in Logout Service POST- and Logout Service Redirect Binding URL fields, copy Single Logout Response Endpoint from your SSO configuration tab in Precoro and paste it. 
  5. Switch to the SAML Keys tab in the client’s profile:
    • Go to the SSO settings tab in Precoro and download Precoro Certificate
    • Press Import and choose Certificate PEM as Archive Format
    • Import this certificate to your SAML Keys
  6. Go to Manage —> Users and create a new user:
    • Make sure you enter your valid email from Precoro (add it both as username and as email)
    • First Name and Last name should be the same as in Precoro
    • Turn the switch Email Verified on
  7. Switch to the Credentials tab in the user’s profile and set a password.
  8. Open Configure —> Realm Settings —> Login tab:
    • Change Require SSL to none
    • Switch to General tab, and save Metadata endpoint as .xml file
    • Find entityID in this file, copy it, and paste to Step 3 in your SSO configuration tab in Precoro
    • Upload downloaded .xml file to Precoro

What can you do in Precoro with Keycloack now:

  • Easy log in and log out

How can you invite new users to Precoro if SSO is enabled:

  • You can still invite users to your Precoro company from the User Management tab. But first, this user must be added to your user list in Keycloack.
  • A new user will be redirected to the Company Login page from the invitation email.

Please note:

  • If you give user access to Precoro through Keycloack — user won’t be added to Precoro

  • If you change the user’s email in Keycloack, it won’t be changed in Precoro

  • If you end session in Keycloack — you’ll be still logged in in Precoro

  • If you delete or disable user in Keycloack, it won’t be deleted or disabled in Precoro (but won’t be able to log in)