Setting Up SSO SAML 2.0 With Keycloak
✅ Info
SAML-based authentication is available exclusively on Self Hosted Enterprise plan and SigNoz Cloud.
Overview
This tutorial walks you through setting up SSO using Keycloak, a powerful open-source identity and access management solution, with SigNoz Enterprise.
Prerequisites
Before you begin, ensure you have:
- SigNoz Enterprise subscription
- Kubernetes cluster with:
- Helm (version 3.8+)
- SigNoz helm chart (version 0.4.3+)
- Cert-manager installed
- Nginx ingress controller configured
- A domain name pointed to your Kubernetes cluster for SigNoz (e.g.,
signoz.domain.com
) - A domain name pointed to your Kubernetes cluster for Keycloak (e.g.,
signoz-keycloak.domain.com
) - SSL/TLS certificates configured
💡 Need TLS Setup? If you haven't configured TLS yet, follow our TLS Setup Guide first.
Steps to Setup SSO
Install Keycloak
Follow the official Keycloak documentation to install Keycloak.
Configure Keycloak
Follow these steps in the Keycloak Admin Console:
Access Admin Console
- Navigate to your Keycloak URL
- Log in with admin credentials
Create SigNoz Realm
- Click "Create Realm"
- Name it "SigNoz"
Configure SAML Client
- Navigate to Clients → Create Client
- Select SAML as the client protocol
- Set Client ID to your SigNoz domain (e.g.,
signoz.your-domain.com
)
Configure Access Settings
Home URL: https://signoz.your-domain.com/api/v1/complete/saml Valid redirect URIs: https://signoz.your-domain.com/*
Set Up SAML Mappers
- Go to Client Scopes →
signoz.your-domain.com-dedicated
- Add these predefined mappers:
- Role list
- X500 email
- X500 given name
- Go to Client Scopes →
Configure SAML Settings
- Set Name ID format to "email"
- Disable Client Signature Required
Configure Users
Create Test User
- Navigate to Users → Add User
- Fill required fields:
- Username (email format)
- Email address
- First and Last name
Set User Password
- Go to Credentials tab
- Set a permanent password
- Disable "Temporary" toggle
Configure SigNoz
Gather SAML Information
- Access Realm Settings → SAML 2.0 Identity Provider Metadata
- Note down:
- SAML ACS URL (ends with
/protocol/saml
) - Entity ID
- X.509 certificate
- SAML ACS URL (ends with
Configure SigNoz
- Go to Settings → Organization Settings → Authenticated Domains
- Add your email domain (e.g.,
your-domain.com
) - Configure SAML settings with collected information
- Enable "Enforce SSO" toggle
Verify the setup
- Open an incognito browser window
- Navigate to your SigNoz URL
- Click "Login" → "SSO Login"
- Enter Keycloak credentials when prompted
- Verify successful authentication