How to Set Up SSO with Keycloak

TABLE OF CONTENTS

What is a Single Sign-On?

 

Single Sign-On allows your System Administrator to manage all logins across all applications from one secure platform. This ensures that applications can only be accessed if configured properly, thus giving you the confidence that your company’s private information is safe.

For organizations with more than a handful of employees, this feature is critical for IT and Security teams to effectively manage user accounts across dozens or hundreds of vendors’ contacts. In the event that an employee leaves the company, it allows the IT team to immediately disable their access to all applications, rather than logging into 100 different user management portals.

How to Set Up SSO with Keycloak


1. Open the Configurations tab on the left side of the screen, go to the SSO Settings tab, and move the switch to On.


2. Open your account in Keycloak, choose an existing realm, or add a new one. 


3. Go to Configure —> Clients and create a new one:

  • Go back to the SSO Settings tab in Precoro, copy Entity ID, and paste it to the Client ID field.
  • Change Client Protocol to SAML.
  • Copy ACS from your SSO configuration tab in Precoro and paste it in the Client SAML Endpoint field.

4. Change the settings of a new client:
  • Turn on Sign Assertions.
  • Root and Base URL must be https://app.precoro.com/.
  • Valid Redirect URLs must be https://app.precoro.com/.
  • Go to the SSO Settings tab in Precoro, copy ACS, and paste it to ACS POST Binding URL field.
  • To fill in Logout Service POST and Logout Service Redirect Binding URL fields, copy Single Logout Response Endpoint from your SSO configuration tab in Precoro and paste it. 

5. Switch to the SAML Keys tab in the client’s profile:
  • Go to the SSO Settings tab in Precoro and download the Precoro Certificate.
  • Press Import and choose Certificate PEM as Archive Format.
  • Import this certificate to your SAML Keys.

6. Go to Manage —> Users and create a new user:
  • Make sure you enter your valid Precoro account email (add it both as username and as email).
  • First Name and Last Name should be the same as in Precoro.
  • Turn the Email Verified switch On.

7. Switch to the Credentials tab in the user’s profile and set a password.


8. Open Configure —> Realm Settings —> Login tab:
  • Change Require SSL to None.
  • Switch to General tab and save Metadata endpoint as .xml file.
  • Find entityID in this file, copy it, and paste to Step 3 in your SSO configuration tab in Precoro.
  • Upload downloaded .xml file to Precoro.

You can now access Precoro with Keycloak:

Log in and log out easily.

How to Invite New Users to Precoro if the SSO is Enabled

 

You can still invite users to your Precoro company account from the User Management tab. But first, this user must be added to your user list in Keycloak.
A new user will be redirected to the Company Login page from the invitation email.

Keycloak FAQs and Highlights

  • If you give a user access to Precoro through Keycloak, they will not be added to Precoro.
  • If you change the user’s email in Keycloak, it will not be changed in Precoro.
  • If you end a session in Keycloak, you will still be logged-in in Precoro.
  • If you delete or disable a user in Keycloak, they will not be deleted or disabled in Precoro (they will not be able to log in, though).