# Keycloak

Use these instructions to set up Keycloak as your SSO provider for Tonic Structural.

## Keycloak configuration

### Create the client

Within Keycloak**,** select the realm to use for your Structural client. Under **Clients**, click **Create client**.

<figure><img src="https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2FBwzkAgd9ZfGUL9BpzcqT%2FKeycloakCreateClientOption.png?alt=media&#x26;token=4c2d47f4-da8c-4209-ac6e-9f6d92973a84" alt=""><figcaption><p>Create client option for Keycloak</p></figcaption></figure>

On the **Create client** page, under **General Settings**:

1. From the **Client type** dropdown list, select **OpenID Connect**.
2. Enter a **Client ID** and **Name**.
3. Click **Next**.

<figure><img src="https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2Fy7uyFsBrfRTHWAEzWfNO%2FKeycloakCreateClientPanel.png?alt=media&#x26;token=8d5bb7d9-e289-4319-9ee7-3419133e52a9" alt=""><figcaption><p>Create client fields for a Keycloak client</p></figcaption></figure>

4. On the **Capability Config** tab, click **Save**. The details page for the new client displays.

### Configure Structural URLs

On the **Settings** tab, under **Access settings**, enter your Structural URL information.

<figure><img src="https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2FKre1IZ3bgeFEOGLoxL1p%2FKeycloakAccessSettings.png?alt=media&#x26;token=879b19be-95dd-4e40-8ea7-be1abe27c79b" alt=""><figcaption><p>Access settings for a Keycloak client</p></figcaption></figure>

### Configure the dedicated scope

Click **Client scopes**. Each client has a dedicated scope named `<client-id>-dedicated`. To configure the scope, click the scope name.

<figure><img src="https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2FFaaeFHxgIKKhIwSzYudm%2FKeycloakScopeList.png?alt=media&#x26;token=32035d28-d94a-485f-885b-7cc07d5908b4" alt=""><figcaption><p>Client scopes tab for a Keycloak client</p></figcaption></figure>

### Add a group membership property mapper

On the **Mappers** tab, to add a property mapper to the scope, click **Configure a new mapper**.

<figure><img src="https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2FIUGhunis2dBcoM54yZP7%2FKeycloakCreateMapperOption.png?alt=media&#x26;token=69767b48-95f8-4e35-8bfa-acdb11b4e6a7" alt=""><figcaption><p>Options to add a property mapper to a Keycloak client scope</p></figcaption></figure>

In the list of mapper types, click **Group Membership**.

<figure><img src="https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2FROghCiGdyyhap6FdOEzj%2FKeycloakMapperList.png?alt=media&#x26;token=64bff892-f2a1-480b-a0e3-910355ae4afa" alt=""><figcaption><p>Available mapper types for a Keycloak client scope property mapper</p></figcaption></figure>

Under **Add mapper**, set both **Name** and **Token Claim Name** to `groups`.

<figure><img src="https://3378426797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LSQCLFQ4bslJ-HYc8c3%2Fuploads%2FXNeWhUwwZ9My0XQDXOFm%2FKeycloakAddMapper.png?alt=media&#x26;token=d5373169-386d-470d-a592-943e14735831" alt=""><figcaption><p>Configuration options for a Keycloak property mapper</p></figcaption></figure>

The **Full group path** toggle affects how child groups appear in Tonic:

* When on, child groups display as `parent group/child group`.
* When off, child groups display as `child group`.

To save the new group membership mapper, click **Save**.

## Structural configuration

In the Structural web server container, set the following [Structural environment settings](https://docs.tonic.ai/app/admin/environment-variables-setting) :

* `TONIC_SSO_PROVIDER`: `Keycloak`
* `TONIC_SSO_DOMAIN`: `https://my-keycloak-instance`
* `TONIC_SSO_CLIENT_ID`: \<Keycloak client ID>
* `TONIC_SSO_REALM_ID`: \<Keycloak realm ID>
* `TONIC_SSO_GROUP_FILTER_REGEX:` Identifies the allowed SSO groups for Structural. For details, go to [sso-limit-groups](https://docs.tonic.ai/app/admin/tonic-user-access/single-sign-on/sso-limit-groups "mention").