# Keycloak

Use these instructions to set up Keycloak as your SSO provider for Tonic Structural.

## Keycloak configuration

### Create the client

Within Keycloak**,** select the realm to use for your Structural client. Under **Clients**, click **Create client**.

<figure><img src="/files/2QEtyz0WD2yAYvaqviHa" alt=""><figcaption><p>Create client option for Keycloak</p></figcaption></figure>

On the **Create client** page, under **General Settings**:

1. From the **Client type** dropdown list, select **OpenID Connect**.
2. Enter a **Client ID** and **Name**.
3. Click **Next**.

<figure><img src="/files/EjhH8lWkmC3vRxZ0MVEi" alt=""><figcaption><p>Create client fields for a Keycloak client</p></figcaption></figure>

4. On the **Capability Config** tab, click **Save**. The details page for the new client displays.

### Configure Structural URLs

On the **Settings** tab, under **Access settings**, enter your Structural URL information.

<figure><img src="/files/PFgz0ByJGwqtlFLrCQPG" alt=""><figcaption><p>Access settings for a Keycloak client</p></figcaption></figure>

### Configure the dedicated scope

Click **Client scopes**. Each client has a dedicated scope named `<client-id>-dedicated`. To configure the scope, click the scope name.

<figure><img src="/files/qRtla2jOuoi0PneWEXWW" alt=""><figcaption><p>Client scopes tab for a Keycloak client</p></figcaption></figure>

### Add a group membership property mapper

On the **Mappers** tab, to add a property mapper to the scope, click **Configure a new mapper**.

<figure><img src="/files/vQSgwX9ApofEc1Ol7NW4" alt=""><figcaption><p>Options to add a property mapper to a Keycloak client scope</p></figcaption></figure>

In the list of mapper types, click **Group Membership**.

<figure><img src="/files/lxdbMT5WnHtvhmHRQeZp" alt=""><figcaption><p>Available mapper types for a Keycloak client scope property mapper</p></figcaption></figure>

Under **Add mapper**, set both **Name** and **Token Claim Name** to `groups`.

<figure><img src="/files/C68ABxGwFm0DwFaSIdic" alt=""><figcaption><p>Configuration options for a Keycloak property mapper</p></figcaption></figure>

The **Full group path** toggle affects how child groups appear in Tonic:

* When on, child groups display as `parent group/child group`.
* When off, child groups display as `child group`.

To save the new group membership mapper, click **Save**.

## Structural configuration

In the Structural web server container, set the following [Structural environment settings](/app/admin/environment-variables-setting.md) :

* `TONIC_SSO_PROVIDER`: `Keycloak`
* `TONIC_SSO_DOMAIN`: `https://my-keycloak-instance`
* `TONIC_SSO_CLIENT_ID`: \<Keycloak client ID>
* `TONIC_SSO_REALM_ID`: \<Keycloak realm ID>
* `TONIC_SSO_GROUP_FILTER_REGEX:` Identifies the allowed SSO groups for Structural. For details, go to [Synchronizing SSO groups with Structural](/app/admin/tonic-user-access/single-sign-on/sso-limit-groups.md).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.tonic.ai/app/admin/tonic-user-access/single-sign-on/keycloak.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.