Keycloak SSO (Identity Provider)
Keycloak provides Single Sign-On, OIDC/SAML federation, MFA, and fine-grained authorization — connect it to your sandbox tools for a unified login experience.
Aithroyz deploys Keycloak and can register OIDC clients for tools in the same plan during provisioning. The admin console is at
/admin on the sso subdomain.Access
Admin console:
https://sso.<env-name>.ops.aithroyz.com/adminCredentials: Shown in Environments detail → Credentials panel.
Core concepts
Realm
A namespace that contains users, clients, and roles. Each environment gets its own realm to keep identities isolated.
Client
A registered application that delegates authentication to Keycloak (e.g. Kibana, Grafana, TheHive).
User
An identity managed by Keycloak. Users can log in natively or via a federated identity provider like Google.
Role
A permission label assigned to users or groups. Clients can map roles to internal access levels.
Creating a realm
Keycloak ships with a master realm for admin use. Create a dedicated realm for your sandbox workloads:
1.Log in to the admin console and click the realm dropdown (top-left, shows "master").
2.Select Create Realm.
3.Set the Realm name (e.g. sandbox) and click Create.
4.All clients and users you add will now be scoped to this realm.
Registering a client (app)
Any tool that uses Keycloak for OIDC login must be registered as a client:
1.Navigate to Clients → Create client.
2.Set Client type to OpenID Connect and enter a Client ID (e.g. kibana).
3.Enable Client authentication (confidential client) and set the Valid redirect URIs to your tool's callback URL.
4.Save, then open the Credentials tab to copy the client secret.
ℹ
Aithroyz auto-registers OIDC clients for supported tools (Elastic, Grafana, Caldera, etc.) during provisioning when Keycloak is included in the plan. You only need to do this manually for custom apps.
Adding users
To add users manually (useful for service accounts and team members without Google):
1.Go to Users → Add user in your realm.
2.Set Username and Email, then click Create.
3.Open the Credentials tab → Set password. Disable Temporary if you don't want a forced reset.
4.Assign roles under the Role mapping tab.
Google identity provider
Let users log in via their Google account instead of a Keycloak-native password:
1.In your realm, go to Identity Providers → Add provider → Google.
2.Paste your Google OAuth Client ID and Client Secret (from Google Cloud Console).
3.Set the Redirect URI shown in Keycloak as an Authorized redirect URI in your Google OAuth app.
4.Save. Users will now see a "Login with Google" button on the Keycloak login page.
⚠
Google hostname wildcards in Keycloak redirect URIs do not work. Register explicit per-subdomain URIs (e.g.
https://sso.myenv.ops.aithroyz.com/realms/sandbox/broker/google/endpoint).Tips
Enable MFA
Go to Authentication → Required Actions → enable Configure OTP. Assign it to individual users or set it as a default action for the realm.
Bulk role assignment with Groups
Create a Group, assign realm roles to it, then add users to the group. All group members inherit the roles automatically.
Admin REST API for user provisioning
Use the Keycloak Admin REST API to programmatically create users. Authenticate as admin to get a bearer token, then POST to /admin/realms/{realm}/users.