Setting Up SSO SAML 2.0 With Keycloak

Info

SAML-based authentication is available exclusively on Self Hosted Enterprise plan and SigNoz Cloud.

Overview

This tutorial walks you through setting up SSO using Keycloak, a powerful open-source identity and access management solution, with SigNoz Enterprise.

Prerequisites

Before you begin, ensure you have:

  • SigNoz Enterprise subscription
  • Kubernetes cluster with:
    • Helm (version 3.8+)
    • SigNoz helm chart (version 0.4.3+)
    • Cert-manager installed
    • Nginx ingress controller configured
  • A domain name pointed to your Kubernetes cluster for SigNoz (e.g., signoz.domain.com)
  • A domain name pointed to your Kubernetes cluster for Keycloak (e.g., signoz-keycloak.domain.com)
  • SSL/TLS certificates configured

💡 Need TLS Setup? If you haven't configured TLS yet, follow our TLS Setup Guide first.

Steps to Setup SSO

Install Keycloak

Follow the official Keycloak documentation to install Keycloak.

Configure Keycloak

Follow these steps in the Keycloak Admin Console:

  1. Access Admin Console

    • Navigate to your Keycloak URL
    • Log in with admin credentials
      Admin login page
  2. Create SigNoz Realm

    • Click "Create Realm"
    • Name it "SigNoz"
      Create SigNoz realm
  3. Configure SAML Client

    • Navigate to Clients → Create Client
    • Select SAML as the client protocol
    • Set Client ID to your SigNoz domain (e.g., signoz.your-domain.com)
      Create client page
  4. Configure Access Settings

    Home URL: https://signoz.your-domain.com/api/v1/complete/saml
    Valid redirect URIs: https://signoz.your-domain.com/*
    
    Client access settings
  5. Set Up SAML Mappers

    • Go to Client Scopes → signoz.your-domain.com-dedicated
    • Add these predefined mappers:
      • Role list
      • X500 email
      • X500 given name
        Predefined mappers
  6. Configure SAML Settings

    • Set Name ID format to "email"
    • Disable Client Signature Required
      SAML capabilities email id

Configure Users

  1. Create Test User

    • Navigate to Users → Add User
    • Fill required fields:
      • Username (email format)
      • Email address
      • First and Last name
        Create new user
  2. Set User Password

    • Go to Credentials tab
    • Set a permanent password
    • Disable "Temporary" toggle
      New user credentials

Configure SigNoz

  1. Gather SAML Information

    • Access Realm Settings → SAML 2.0 Identity Provider Metadata
    • Note down:
      • SAML ACS URL (ends with /protocol/saml)
      • Entity ID
      • X.509 certificate
        SAML 2.0 identity provider metadata
  2. Configure SigNoz

    • Go to Settings → Organization Settings → Authenticated Domains
    • Add your email domain (e.g., your-domain.com)
    • Configure SAML settings with collected information
    • Enable "Enforce SSO" toggle
      SigNoz SAML configuration

Verify the setup

  1. Open an incognito browser window
  2. Navigate to your SigNoz URL
  3. Click "Login" → "SSO Login"
  4. Enter Keycloak credentials when prompted
  5. Verify successful authentication

Was this page helpful?