# Keycloak Use these instructions to set up Keycloak as your SSO provider for Tonic Textual. ## Keycloak configuration Within Keycloak**,** select the realm to use for your Textual client. Under **Clients**, click **Create client**.

On the **Create client** page, under **General Settings**: 1. From the **Client type** dropdown list, select **OpenID Connect**. 2. Enter a **Client ID** and **Name**. 3. Click **Next**.

Create client fields for a Keycloak client

On the **Capability Config** tab, click **Save**. The details page for the new client displays. On the **Settings** tab, under **Access settings**, enter your Textual URL information.

Click **Client scopes**. Each client has a dedicated scope named `-dedicated`. To configure the scope, click the scope name.

On the **Mappers** tab, to add a property mapper to the scope, click **Configure a new mapper**.

Options to add a property mapper to a Keycloak client scope

In the list of mapper types, click **Group Membership**.

Available mapper types for a Keycloak client scope property mapper

Under **Add mapper**, set both **Name** and **Token Claim Name** to `groups`.

Configuration options for a Keycloak property mapper

The **Full group path** toggle affects how child groups appear in Tonic: * When on, child groups display as `parent group/child group`. * When off, child groups display as `child group`. To save the new group membership mapper, click **Save**. ## Textual configuration After you complete the configuration in Keycloak, you uncomment and configure the required [environment variables](/textual/textual-install-administer/configuring-textual/textual-env-var-configure.md) in Textual. * The realm URL * The client identifier * The client secret, if client authentication is enabled For Kubernetes, in **values.yaml**: ``` # Keycloak SSO Config # ----------------- #keycloakClientId: #keycloakClientSecret: #keycloakAuthority: #keycloakGroupFilterRegex: ``` For Docker, in **.env**:

#SOLAR_SSO_KEYCLOAK_AUTHORITY=#<keycloak_url_with_scheme>/realms/<realm_name>
#SOLAR_SSO_KEYCLOAK_CLIENT_ID=#<client identifier>
#SOLAR_SSO_KEYCLOAK_CLIENT_SECRET=#<client secret>
#SOLAR_SSO_KEYCLOAK_GROUP_FILTER_REGEX=#<regex to identify allowed groups>

## Disabling pushed authorization requests The environment variable `SOLAR_SSO_KEYCLOAK_DISABLE_PUSHED_AUTHORIZATION` determines whether to disable Keycloak pushed authorization requests. By default, this is `false`. You would set this to `true` to troubleshoot Keycloak authentication issues. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.tonic.ai/textual/textual-install-administer/user-access-textual/textual-sso/keycloak.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.