Keycloak OpenID Setup

This guide walks through a basic setup allowing Keycloak users to authenticate with your Kasm deployment.

Reference Docs:

Creating a Keycloak OAuth App

  1. Login to the Keycloak portal as an Admin.

  2. Under the the desired realm (e.g Master) , select Realm Settings.

  3. Click OpenID Endpoint Configuration next to Endpoints.


    Realm Settings

  4. Save off the urls for authorization_endpoint , token_endpoint, and userinfo_endpoint. These will be used in future steps.


    Keycloak Endpoints

  5. Back in the console, select Clients under the Realm.

  6. Select Create.

  7. Define a Client ID , e.g kasm-12345. Select openid-connect for Client Protocol and enter the URL for the Kasm deployment under Root URL (e.g


    Add Client

  8. In the client settings, change Access Type to confidential, then slick Save.

  9. Select Credentials. Save off the Secret. It will be used in future steps.


    Client Secret

  10. In the client settings, select Mappers, then click Create.

  11. Enter groups for Name, and select Group Membership from the Mapper Type. Enter groups for Token Claim Name, then select Save.



Kasm OpenID Config

  1. Log into the Kasm UI as an administrator.

  2. Select Authentication -> OpenID -> Create New Configuration.

  3. Update the form with the following entries, using the Client ID and Client Secret gathered in the previous section.



    Display Name

    Continue with Keycloak

    Logo URL



    Auto Login






    Client ID

    <Client ID from Keycloak>

    Client Secret

    <Client Secret from Keycloak>

    Authorization URL

    <authorization_endpoint from the Keycloak configuration>

    Token URL

    <token_endpoint from the Keycloak configuration>

    User Info URL

    <userinfo_endpoint from the Keycloak configuration>


    openid email profile

    Username Attribute


    Groups Attribute





    Kasm OIDC Configurations

  1. Click Submit to save the changes.

Keycloak Login Test

  1. Logout of the Kasm to display the login screen. The OpenID configuration should be shown.


    Login Screen

  2. Click Continue with Keycloak

  3. The user is redirected to Keycloak for auth.


    Keycloak Auth

  4. Upon completion, the user is logged into the Kasm app.

Group Mapping

The previous configurations will instruct the identity provider to send a list of Security Group ID the user belongs to during the OpenID auth workflow. We can configure Kasm Groups with the Security Group IDs from Azure AD so that users are automatically added/removed based on their Azure AD group Membership.

  1. Log into the Kasm UI as an administrator.

  2. Select Groups -> Add Group.

  3. Name the Group Group Test, and define a priority.

  4. Click Submit to create the group.


Group Configuration

  1. On the groups screen, using the three dot menu select View on the group that was just created.

  2. Scroll to the bottom of the screen and select Add SSO Mapping.

  3. Select the OpenID IDP that was created above “OpenID - Continue with Keycloak” for the SSO Provider.

#. Then enter the Keycloak group name desired in the Group Attributes field, e.g /Kasm-Test. Note the slash. This is needed when Full group path is set in the Keycloak Client Mapper which is the default.

  1. Click Add


Add SSO Group Mapping

  1. Logout, then login via the Keycloak Open ID login with a user that is a member of the specified group.

  2. View the users group membership to ensure they are added to the newly created group.