How to set up SSO with Keycloak:


  1. Open the Configurations tab on the left side of the screen and go to the SSO settings tab, move the switch to On;
  2. Open your account in Keycloak, choose an existing realm, or add a new one. 
  3. Go to Configure —> Clients and create a new one:
    • Go back to the SSO setting tab in Precoro, copy Entity ID and paste it to the Client ID field
    • Change Client Protocol to saml
    • Copy ACS from your SSO configuration tab in Precoro and paste it in the Client SAML Endpoint field
  4. Change the settings of a new client:
    • Turn on Sign Assertions
    • Root and Base URL must be https://precoro.com/
    • Valid Redirect URIs must be https://precoro.com/*
    • Go to the SSO setting tab in Precoro, copy ACS and paste it to ACS POST Binding URL field
    • To fill in Logout Service POST- and Logout Service Redirect Binding URL fields, copy Single Logout Response Endpoint from your SSO configuration tab in Precoro and paste it. 
    • Ensure that the Force Artifact Binding function must be turned off/
  5. Switch to the SAML Keys tab in the client’s profile:
    • Go to the SSO settings tab in Precoro and download the Precoro Certificate
    • Press Import and choose Certificate PEM as Archive Format
    • Import this certificate to your SAML Keys
  6. Go to Manage —> Users and create a new user:
    • Make sure you enter your valid Precoro account email (add it both as username and as email)
    • First Name and Last name should be the same as in Precoro
    • Turn the switch Email Verified on
  7. Switch to the Credentials tab in the user’s profile and set a password.
  8. Open Configure —> Realm Settings —> Login tab:
    • Change Require SSL to none
    • Switch to General tab, and save Metadata endpoint as .xml file
    • Find entityID in this file, copy it, and paste to Step 3 in your SSO configuration tab in Precoro
    • Upload downloaded .xml file to Precoro

You can now access Precoro with Keycloak:

  • Easily log in and log out


How can you invite new users to Precoro if the SSO is enabled?

  • You can still invite users to your Precoro company account from the User Management tab. But first, this user must be added to your user list in Keycloak.
  • A new user will be redirected to the Company Login page from the invitation email.


Please note:

  • If you give the user access to Precoro through Keycloak — the user won’t be added to Precoro

  • If you change the user’s email in Keycloak, it won’t be changed in Precoro

  • If you end a session in Keycloak — you’ll be still logged-in in Precoro

  • If you delete or disable a user in Keycloak, it won’t be deleted or disabled in Precoro (but won’t be able to log in)