> ## Documentation Index
> Fetch the complete documentation index at: https://wundergraphinc-brendan-add-sof-link.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Keycloak

> Setting up SSO with Keycloak

### Steps to set Keyclaok as an OIDC identity provider

<Steps>
  <Step>
    Navigate to the **Clients** view within your Keyclaok Dashboard.
  </Step>

  <Step>
    Click on **Create Client**.
  </Step>

  <Step>
    Select OpenID Connect as the **Client Type, and** give the client a  **Client ID**and a  **Name**and then click on **Next.**

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/4e0tdWXXIKi1QWpK/images/studio/sso/create-openid-connect-client.png?fit=max&auto=format&n=4e0tdWXXIKi1QWpK&q=85&s=dd289c977464b529cad9e571fcaf6dbb" alt="Create client form for OpenID Connect with general, capability, and login settings" title="Create OpenID Connect client" width="2304" height="1401" data-path="images/studio/sso/create-openid-connect-client.png" />
    </Frame>
  </Step>

  <Step>
    Enable **Client authentication,** then click on **Next** and then click on  **Save**on the next page**.**

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/4e0tdWXXIKi1QWpK/images/studio/sso/create-client-settings-overview.png?fit=max&auto=format&n=4e0tdWXXIKi1QWpK&q=85&s=7c4eef3b92e8fe10e9f2cedec5e49df8" alt="Create client page in Cosmo Docs with client authentication on and authorization off" title="Create client settings overview" width="2304" height="1413" data-path="images/studio/sso/create-client-settings-overview.png" />
    </Frame>
  </Step>

  <Step>
    Navigate to the **Credentials** tab and then copy the **Client Secret.**

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/4e0tdWXXIKi1QWpK/images/studio/sso/client-authenticator-with-id-and-secret.png?fit=max&auto=format&n=4e0tdWXXIKi1QWpK&q=85&s=177f0d8c8c77e9684c2dbd18e9f21ea2" alt="Client Authenticator settings showing client ID, secret, and regenerate option" title="Client Authenticator with ID and secret" width="2304" height="1166" data-path="images/studio/sso/client-authenticator-with-id-and-secret.png" />
    </Frame>
  </Step>

  <Step>
    Navigate to the **Realm Settings** and then copy the link of **OpenID Endpoint Configuration.**

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/4e0tdWXXIKi1QWpK/images/studio/sso/openid-and-saml-metadata-settings.png?fit=max&auto=format&n=4e0tdWXXIKi1QWpK&q=85&s=5d2d5dfb7e2c037ffc7fa3e6552eaf21" alt="OpenID and SAML metadata settings with user-managed access turned off" title="OpenID and SAML metadata settings" width="1497" height="335" data-path="images/studio/sso/openid-and-saml-metadata-settings.png" />
    </Frame>
  </Step>

  <Step>
    Navigate to the settings page on Cosmo.
  </Step>

  <Step>
    Click on **Connect.**

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/4e0tdWXXIKi1QWpK/images/studio/sso/organization-settings-with-ai-rbac-scim.png?fit=max&auto=format&n=4e0tdWXXIKi1QWpK&q=85&s=f5286d46d8fab2bfb950c8666955c3cc" alt="Organization settings showing name, slug, and status of AI, RBAC, and SCIM features" title="Organization settings with AI, RBAC, SCIM" width="2796" height="1902" data-path="images/studio/sso/organization-settings-with-ai-rbac-scim.png" />
    </Frame>
  </Step>

  <Step>
    Give the connection a name, paste the **OpenID Endpoint Configuration** copied before, into the  **Discovery Endpoint,**and paste the **Client ID** and  **Client secret**copied before into the **Client ID** and  **Client Secret fields respectively,** and then click on **Connect.**

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/4e0tdWXXIKi1QWpK/images/studio/sso/oidc-provider-configuration-form.png?fit=max&auto=format&n=4e0tdWXXIKi1QWpK&q=85&s=f7f576f23d0537ec788782f755d51eea" alt="Connect OpenID Connect Provider form with fields for name, endpoint, and credentials" title="OIDC provider configuration form" width="2786" height="2122" data-path="images/studio/sso/oidc-provider-configuration-form.png" />
    </Frame>
  </Step>

  <Step>
    Configure the mapping between the roles in Cosmo and the user groups in Keycloak. The field **Group in the provider** can be populated with the name of the group or a regex to match the user groups. Once all the mappers are configured, click on **Save**.

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/4e0tdWXXIKi1QWpK/images/studio/sso/group-to-role-mapping-dialog.png?fit=max&auto=format&n=4e0tdWXXIKi1QWpK&q=85&s=421ed2a777fbb7c8c2db9f207d14fc11" alt="Group mapper configuration dialog linking provider groups to Cosmo roles" title="Group-to-role mapping dialog" width="2774" height="1972" data-path="images/studio/sso/group-to-role-mapping-dialog.png" />
    </Frame>
  </Step>

  <Step>
    Copy the sign-in and sign-out redirect URIs displayed in the dialog.

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/4e0tdWXXIKi1QWpK/images/studio/sso/oidc-provider-configuration-steps.png?fit=max&auto=format&n=4e0tdWXXIKi1QWpK&q=85&s=d4fde4c151a80bfff14874c685500bff" alt="Steps to configure OIDC provider with sign-in and sign-out redirect URLs" title="OIDC provider configuration steps" width="2784" height="1848" data-path="images/studio/sso/oidc-provider-configuration-steps.png" />
    </Frame>
  </Step>

  <Step>
    Navigate back to the client created on Keycloak and populate the **Valid redirect URIs** and **Valid post Logout redirect URIs** with the above-copied sign-in and sign-out URLs respectively. Click on **Save**.

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/lp_f9DXOip40YgZM/images/studio/sso/access-settings-for-redirect-urls.png?fit=max&auto=format&n=lp_f9DXOip40YgZM&q=85&s=2d913ca1daaac0e0627fe418c37a841a" alt="Access settings showing valid redirect and logout URLs fields" title="Access settings for redirect URLs" width="2304" height="1046" data-path="images/studio/sso/access-settings-for-redirect-urls.png" />
    </Frame>
  </Step>

  <Step>
    Navigate to the **Client Scopes** tab, click on the first client scope(usually would be \$\{**clientID}-dedicated**), and then click on **Configure a new mapper.**

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/4e0tdWXXIKi1QWpK/images/studio/sso/client-scope-with-no-mappers-configured.png?fit=max&auto=format&n=4e0tdWXXIKi1QWpK&q=85&s=2700a7e088f80688f05bca5a651cacb4" alt="Client scope page showing dedicated mappers section with no mappers added" title="Client scope with no mappers configured" width="2304" height="1400" data-path="images/studio/sso/client-scope-with-no-mappers-configured.png" />
    </Frame>
  </Step>

  <Step>
    Select **Group Membership.**

    <Frame>
      <img src="https://mintcdn.com/wundergraphinc-brendan-add-sof-link/4e0tdWXXIKi1QWpK/images/studio/sso/group-membership-mapper-configuration.png?fit=max&auto=format&n=4e0tdWXXIKi1QWpK&q=85&s=b5722f36d08ab1d2db00d84c00a7a8bc" alt="Configure new mapper dialog with Group Membership option for token mapping" title="Group membership mapper configuration" width="1782" height="1600" data-path="images/studio/sso/group-membership-mapper-configuration.png" />
    </Frame>
  </Step>

  <Step>
    Give the mapper a name, then populate the **Token Claim Name** with **"**ssoGroups**"** and then click on **Save.**
  </Step>

  <Step>
    Now you can assign users/groups to the application, and those users will be able to log into Cosmo using the URL provided on setting up the provider.
  </Step>
</Steps>
