How to set up SSO with Keycloak:

  1. Open the Configurations tab on the left side of the screen and go to the SSO settings tab, move the switch to On;
  2. Open your account in Keycloak, choose an existing realm, or add a new one. 
  3. Go to Configure —> Clients and create a new one:
    • Go back to the SSO setting tab in Precoro, copy Entity ID and paste it to the Client ID field
    • Change Client Protocol to saml
    • Copy ACS from your SSO configuration tab in Precoro and paste it in the Client SAML Endpoint field
  4. Change the settings of a new client:
    • Turn on Sign Assertions
    • Root and Base URL must be
    • Valid Redirect URIs must be*
    • Go to the SSO setting tab in Precoro, copy ACS and paste it to ACS POST Binding URL field
    • To fill in Logout Service POST- and Logout Service Redirect Binding URL fields, copy Single Logout Response Endpoint from your SSO configuration tab in Precoro and paste it. 
  5. Switch to the SAML Keys tab in the client’s profile:
    • Go to the SSO settings tab in Precoro and download the Precoro Certificate
    • Press Import and choose Certificate PEM as Archive Format
    • Import this certificate to your SAML Keys
  6. Go to Manage —> Users and create a new user:
    • Make sure you enter your valid Precoro account email (add it both as username and as email)
    • First Name and Last name should be the same as in Precoro
    • Turn the switch Email Verified on
  7. Switch to the Credentials tab in the user’s profile and set a password.
  8. Open Configure —> Realm Settings —> Login tab:
    • Change Require SSL to none
    • Switch to General tab, and save Metadata endpoint as .xml file
    • Find entityID in this file, copy it, and paste to Step 3 in your SSO configuration tab in Precoro
    • Upload downloaded .xml file to Precoro

You can now access Precoro with Keycloak:

  • Easily log in and log out

How can you invite new users to Precoro if the SSO is enabled?

  • You can still invite users to your Precoro company account from the User Management tab. But first, this user must be added to your user list in Keycloak.
  • A new user will be redirected to the Company Login page from the invitation email.

Please note:

  • If you give the user access to Precoro through Keycloak — the user won’t be added to Precoro

  • If you change the user’s email in Keycloak, it won’t be changed in Precoro

  • If you end a session in Keycloak — you’ll be still logged-in in Precoro

  • If you delete or disable a user in Keycloak, it won’t be deleted or disabled in Precoro (but won’t be able to log in)