Keycloak
Configure Keycloak for SSO authentication with Parseable
Configure Keycloak as an identity provider for Parseable using OpenID Connect.
Overview
Integrate Keycloak with Parseable to:
- Single Sign-On - Use existing Keycloak identities
- Role-Based Access - Map Keycloak roles to Parseable permissions
- Centralized Auth - Manage users in one place
- Multi-Factor Auth - Leverage Keycloak's MFA capabilities
Prerequisites
- Keycloak server running
- Admin access to Keycloak
- Parseable instance with OIDC support
Keycloak Configuration
Create Realm (Optional)
- Log in to Keycloak Admin Console
- Click Create Realm
- Name it (e.g.,
parseable) - Click Create
Create Client
- Go to Clients → Create client
- Configure:
- Client ID:
parseable - Client Protocol:
openid-connect
- Client ID:
- Click Next
- Configure capability:
- Client authentication: On
- Authorization: Off
- Click Next
- Configure URLs:
- Root URL:
https://your-parseable.com - Valid redirect URIs:
https://your-parseable.com/callback - Web origins:
https://your-parseable.com
- Root URL:
- Click Save
Get Client Secret
- Go to Clients → parseable → Credentials
- Copy the Client secret
Configure Mappers (Optional)
Map Keycloak roles to Parseable:
- Go to Clients → parseable → Client scopes
- Click parseable-dedicated
- Add mapper:
- Name:
roles - Mapper type:
User Realm Role - Token Claim Name:
roles - Add to ID token: On
- Name:
Parseable Configuration
Environment Variables
P_OIDC_CLIENT_ID=parseable
P_OIDC_CLIENT_SECRET=your-client-secret
P_OIDC_ISSUER=https://keycloak.example.com/realms/parseable
P_OIDC_REDIRECT_URI=https://your-parseable.com/callbackDocker Compose
version: '3.8'
services:
parseable:
image: parseable/parseable:latest
environment:
- P_OIDC_CLIENT_ID=parseable
- P_OIDC_CLIENT_SECRET=${KEYCLOAK_CLIENT_SECRET}
- P_OIDC_ISSUER=https://keycloak.example.com/realms/parseable
- P_OIDC_REDIRECT_URI=https://your-parseable.com/callbackOIDC Endpoints
Keycloak OIDC endpoints follow this pattern:
| Endpoint | URL |
|---|---|
| Issuer | https://keycloak/realms/{realm} |
| Authorization | https://keycloak/realms/{realm}/protocol/openid-connect/auth |
| Token | https://keycloak/realms/{realm}/protocol/openid-connect/token |
| UserInfo | https://keycloak/realms/{realm}/protocol/openid-connect/userinfo |
| JWKS | https://keycloak/realms/{realm}/protocol/openid-connect/certs |
Role Mapping
Map Keycloak roles to Parseable roles:
| Keycloak Role | Parseable Permission |
|---|---|
admin | Full access |
editor | Read/write streams |
viewer | Read-only access |
Best Practices
- Use Dedicated Realm - Isolate Parseable users
- Enable MFA - Add security with multi-factor auth
- Configure Session Timeout - Set appropriate session lengths
- Use Groups - Organize users with Keycloak groups
Troubleshooting
Login Fails
- Verify client ID and secret
- Check redirect URI matches exactly
- Verify issuer URL is correct
- Check Keycloak logs
Role Mapping Issues
- Verify mapper configuration
- Check token contains roles claim
- Verify role names match
Next Steps
- Configure OAuth for other providers
- Set up RBAC in Parseable
- Review security best practices
Was this page helpful?