> ## Documentation Index
> Fetch the complete documentation index at: https://docs.flashduty.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Keycloak

> Configure SAML2.0 or OIDC protocol via Keycloak for single sign-on

Keycloak is an open-source identity and access management solution that provides a comprehensive set of tools and features to help developers quickly implement secure user authentication and authorization mechanisms.

<Note>
  This article does not cover deployment or explanation of Keycloak. For more information, please refer to the [official documentation](https://www.keycloak.org/).
</Note>

## Protocol Configuration

<Tabs>
  <Tab title="SAML2.0 Protocol">
    ### 1. Get ACS URL

    Login to Flashduty console and obtain the ACS URL (needed in subsequent steps).

    Path: **Access Control => Single Sign-On => Settings => SAML2.0 Protocol => Flashduty Service Provider Info => Assertion Consumer Service URL**

    ![Get ACS URL](https://api.apifox.com/api/v1/projects/4169655/resources/437194/image-preview)

    ### 2. Create Client

    Login to Keycloak console, path: **Clients => Create client**

    * **Client Type**: Select SAML protocol
    * **Client ID**: Enter `flashcat.cloud` (fixed value, cannot be changed)

    ![Create Client](https://api.apifox.com/api/v1/projects/4169655/resources/437197/image-preview)

    **Valid redirect URIs**: Enter the ACS URL obtained from Flashduty

    ![Configure redirect](https://api.apifox.com/api/v1/projects/4169655/resources/437029/image-preview)

    ### 3. Configure Client Information

    Change **Name ID format** to email type:

    ![Name ID format](https://api.apifox.com/api/v1/projects/4169655/resources/437031/image-preview)

    Set **Client signature required** to disabled:

    ![Disable signature](https://api.apifox.com/api/v1/projects/4169655/resources/437195/image-preview)

    **Create Client scope**:

    <Warning>
      Before creating, delete the previous OpenID Connect protocol user first, then set it as Default after creation.
    </Warning>

    Create email/phone/username types as shown:

    ![Create scope](https://api.apifox.com/api/v1/projects/4169655/resources/437033/image-preview)

    Completed result:

    ![Scope result](https://api.apifox.com/api/v1/projects/4169655/resources/437034/image-preview)

    **Add users to the Client**:

    ![Add user 1](https://api.apifox.com/api/v1/projects/4169655/resources/437037/image-preview)

    ![Add user 2](https://api.apifox.com/api/v1/projects/4169655/resources/437038/image-preview)

    **Configure email/phone/username mappers** (using email as example, configure others similarly):

    ![Mapper 1](https://api.apifox.com/api/v1/projects/4169655/resources/437057/image-preview)

    ![Mapper 2](https://api.apifox.com/api/v1/projects/4169655/resources/437058/image-preview)

    ![Mapper 3](https://api.apifox.com/api/v1/projects/4169655/resources/437060/image-preview)

    ### 4. Download XML File

    <Note>
      The downloaded file is a compressed package. After extracting locally, there will be two xml files; only the `idp-metadata.xml` file is needed.
    </Note>

    Download locally from **Client => Action**:

    ![Download XML](https://api.apifox.com/api/v1/projects/4169655/resources/437039/image-preview)

    Upload the XML file to Flashduty's single sign-on configuration:

    ![Upload XML](https://api.apifox.com/api/v1/projects/4169655/resources/437040/image-preview)

    ### 5. Create User and Test Login

    Create user (must bind an email address):

    ![Create user](https://api.apifox.com/api/v1/projects/4169655/resources/437041/image-preview)

    **Login test**: Visit `console.flashcat.cloud`, select SSO login, enter the login domain prefix from single sign-on configuration in the domain field.

    ![Test login](https://api.apifox.com/api/v1/projects/4169655/resources/437062/image-preview)
  </Tab>

  <Tab title="OIDC Protocol">
    ### 1. Get Redirect URL

    Login to Flashduty console and obtain the Redirect URL (needed in subsequent steps).

    Path: **Access Control => Single Sign-On => Settings => OIDC Protocol => Flashduty Service Provider Info => Redirect URL**

    ![Get Redirect URL](https://api.apifox.com/api/v1/projects/4169655/resources/437183/image-preview)

    ### 2. Create Client

    Login to Keycloak console, create new Client:

    * **Client Type**: Select OIDC protocol
    * **Client ID**: No special requirements

    ![Create Client](https://api.apifox.com/api/v1/projects/4169655/resources/437179/image-preview)

    **Client authentication**: Keep enabled

    ![Client authentication](https://api.apifox.com/api/v1/projects/4169655/resources/437180/image-preview)

    **Valid redirect URIs**: Enter the Redirect URL obtained in step 1

    ![Configure redirect](https://api.apifox.com/api/v1/projects/4169655/resources/437184/image-preview)

    ### 3. Get Client Information

    * **Client ID**: The ID entered when creating the Client
    * **Client Secret**: View in **Client Details => Credentials** card

    ![Client Secret](https://api.apifox.com/api/v1/projects/4169655/resources/437186/image-preview)

    * **Issuer**: View in **Realm settings => Endpoints => OpenID Endpoint Configuration**

    ![Issuer](https://api.apifox.com/api/v1/projects/4169655/resources/437187/image-preview)

    ### 4. Configure Flashduty Single Sign-On

    Enter the above information into Flashduty single sign-on configuration:

    ![Flashduty configuration](https://api.apifox.com/api/v1/projects/4169655/resources/437188/image-preview)

    <Tip>
      After configuration, refer to step 5 of the SAML2.0 protocol for login testing.
    </Tip>
  </Tab>
</Tabs>
