Skip to main content
Version: 3.x.x

Single Sign-On (SSO) With Keycloak

Feature availability

Single Sign-On is available for enterprise plans. Upgrade your plan to use this feature.

If you use the self-hosted version, you must set up the license and then follow the sso server setup guide to use this feature.

This guide will help you set up Single Sign-On (SSO) for your organization using Keycloak. See the SSO Getting Started guide for more generalized steps on setting up SSO.

Setting up Keycloak

To enable SSO with Keycloak, you first need to create a client in your Keycloak instance. Log in to Keycloak, choose the correct Realm, then navigate to Clients and click Create client.

Enter a Client ID (e.g., tolgee), select OpenID Connect as the Client Type, and click Next.

Now configure the capabilities. You can see how the configuration should look in the image below.

  • Client authentication: Enabled
    • We will be using Keycloak for authentication; authorization by third-party providers is not supported.
  • Authentication flow: Standard flow
    • Enables the standard OAuth 2.0 authorization code flow.

Set login settings as follows. You can also see the configuration in the image below.

  • Root URL: https://app.tolgee.io (for Tolgee Cloud) or your Tolgee instance URL
  • Home URL: Same as Root URL
  • Valid redirect URIs: /login/auth_callback/sso
    • This is the callback URL where Keycloak will redirect users after successful authentication.

You can also set Valid post logout redirect URIs and Web origins if you want to, though Keycloak logout flow is not supported.

Logout and disabled accounts handling

Tolgee handles logout and general account availability automatically by checking token validity every few minutes if a client tries to access Tolgee.

Once saved, navigate to the Credentials tab to get your Client Secret. You can see it in the image below.

Finding the endpoints

You can find all the required endpoints in Keycloak’s OpenID Provider Configuration (Well-Known URL).

https://<your-keycloak-domain>/realms/<your-realm-name>/.well-known/openid-configuration

Look for authorization_endpoint (the URL where users are redirected to authenticate) and token_endpoint (the URL where Tolgee exchanges the authorization code for access tokens).

Setting up Tolgee

You will need the following values for Tolgee:

  • Client ID: The same as the client ID you entered in the first step above
  • Client Secret: Found in the Credentials tab
  • Authorization endpoint: Found in the response of the well-known request
  • Token endpoint: Found in the response of the well-known request

When you have all the necessary information from Keycloak, you need to enable the SSO feature in your organization settings and provide the necessary information to Tolgee. You can find detailed instructions on how to enable SSO in Tolgee in the SSO Getting Started guide.

Logging in with SSO

Once you have set up SSO, you can log in to Tolgee using the Log in with SSO button on the login page and enter the domain name. After that, you will be redirected to the Keycloak login page to authenticate.