Keycloak OpenID Setup

This guide walks through a basic setup allowing Keycloak users to authenticate with your Kasm deployment.

Reference Docs:

Creating a Keycloak OAuth App

  1. Login to the Keycloak portal as an Admin.

  2. Under the the desired realm (e.g Master) , select Realm Settings.

  3. Click OpenID Endpoint Configuration next to Endpoints.


Realm Settings

  1. Save off the urls for authorization_endpoint , token_endpoint, and userinfo_endpoint. These will be used in future steps.


Keycloak Endpoints

  1. Back in the console, select Clients under the Realm.

  2. Select Create.

  3. Define a Client ID , e.g kasm-12345. Select openid-connect for Client Protocol and enter the URL for the Kasm deployment under Root URL (e.g


Add Client

  1. In the client settings, change Access Type to confidential, then slick Save.

  2. Select Credentials. Save off the Secret. It will be used in future steps.


Client Secret

  1. In the client settings, select Mappers, then click Create.

  2. Enter groups for Name, and select Group Membership from the Mapper Type. Enter groups for Token Claim Name, then select Save.



Kasm OpenID Config

  1. Log into the Kasm UI as an administrator.

  2. Select Access Management -> Authentication -> OpenID -> Add Config.

  3. Update the form with the following entries, using the Client ID and Client Secret gathered in the previous section.



Display Name

Continue with Keycloak

Logo URL



Auto Login






Client ID

<Client ID from Keycloak>

Client Secret

<Client Secret from Keycloak>

Authorization URL

<authorization_endpoint from the Keycloak configuration>

Token URL

<token_endpoint from the Keycloak configuration>

User Info URL

<userinfo_endpoint from the Keycloak configuration>


openid email profile

Username Attribute


Groups Attribute





Kasm OIDC Configurations

  1. Click Save to save the changes.

Keycloak Login Test

  1. Logout of the Kasm to display the login screen. The OpenID configuration should be shown.


Login Screen

  1. Click Continue with Keycloak

  2. The user is redirected to Keycloak for auth.


Keycloak Auth

  1. Upon completion, the user is logged into the Kasm app.

Group Mapping

The previous configurations will instruct the identity provider to send a list of Security Group ID the user belongs to during the OpenID auth workflow. We can configure Kasm Groups with the Security Group IDs from Azure AD so that users are automatically added/removed based on their Azure AD group Membership.

  1. Log into the Kasm UI as an administrator.

  2. Select Access Management -> Groups -> Add Group.

  3. Name the Group Group Test, and define a priority.

  4. Click Save to create the group.


Group Configuration

  1. On the groups screen, using the arrow menu select Edit on the group that was just created.

  2. Navigate to the SSO Group Mappings tab and select Add SSO Mapping.

  3. Select the OpenID IDP that was created above “OpenID - Continue with Keycloak” for the SSO Provider.

  4. Then enter the Keycloak group name desired in the Group Attributes field, e.g /Kasm-Test. Note the slash. This is needed when Full group path is set in the Keycloak Client Mapper which is the default.

  5. Click Submit


Add SSO Group Mapping

  1. Logout, then login via the Keycloak Open ID login with a user that is a member of the specified group.

  2. View the users group membership to ensure they are added to the newly created group.