Skip to main content
Version: 25.2

Keycloak

Configure Keycloak as a single sign-on (SSO) provider for Seqera Platform using OpenID Connect.

Prerequisites

Before you begin, you need:

  • A Keycloak instance
  • Admin access to create clients in Keycloak

Ensure you know how to configure Keycloak clients. See the Keycloak documentation for more information.

Create a Keycloak client

  1. In Realm settings, verify the Endpoints field includes OpenID Endpoint Configuration.
  2. Go to Clients and select Create.
  3. Configure the client with protocol openid-connect, access type confidential, and redirect URI https://<HOST>/oauth/callback/oidc (must be HTTPS) - replace <HOST> with your enterprise installation hostname.
  4. In the Credentials tab, note the Secret.
  5. In the Keys tab, set Use JWKS URL to OFF.
  6. Note the issuer URL from Realm Settings > Endpoints > OpenID Configuration (the issuer value in the JSON).

Configure Seqera

Add the following environment variables to your Seqera configuration:

VariableDescription
TOWER_OIDC_CLIENTThe client ID from step 3
TOWER_OIDC_SECRETThe secret from step 4
TOWER_OIDC_ISSUERThe issuer URL from step 6, e.g., https://keycloak.example.com/auth/realms/master

Restrict access

To restrict access to specific email addresses or domains, configure an allow list in tower.yml:

tower:
  auth:
    oidc:
      allow-list:
        - "*@your-company.example.com"
        - "specific-user@another-company.example.net"

See User access allow list for more information.