Skip to main content
Use this guide to configure Keycloak as the identity provider for CodeRabbit. The current setup is support-assisted: you create the Keycloak SAML client, collect the required metadata, and then send the final values to CodeRabbit for enablement.

​
Before you start

Make sure you have:
  • A running Keycloak instance and access to its admin console
  • A realm to host the CodeRabbit SAML client
  • The email domain that should authenticate through CodeRabbit
  • A way to reach your account team to request CodeRabbit’s service provider values and submit your final metadata
Your Keycloak realm descriptor URL must be reachable from CodeRabbit so we can fetch the IdP metadata automatically. If your Keycloak is only accessible on an internal network, see What CodeRabbit needs from you for the file-upload alternative.

​
What CodeRabbit provides

Before you configure the Keycloak client, reach out to your account team to request these values:
  • Assertion Consumer Service (ACS) URL
  • SP Entity ID
Keycloak requires both values to create the SAML client.

​
What CodeRabbit needs from you

After you configure the Keycloak client, send these items to CodeRabbit:
  • Email domain: for example, yourcompany.com
  • IdP metadata, in one of these forms (listed in order of preference):
    • Metadata URL: the realm SAML descriptor URL — https://<keycloak-host>/realms/<realm-name>/protocol/saml/descriptor
    • Metadata XML file: download the XML from the URL above and attach it — use this if your Keycloak is not reachable from the public internet
    • Manual values, if neither of the above is possible:
      • Sign-on URL: the Location attribute of the HTTP-POST SingleSignOnService element in the descriptor
      • Issuer: the entityID attribute of the EntityDescriptor element (typically https://<keycloak-host>/realms/<realm-name>)
      • Signing certificate: the contents of ds:X509Certificate, saved as a .pem file

​
Set up the Keycloak SAML client

1

Create the SAML client

Sign in to the Keycloak admin console, switch into the realm you want to use, then go to Clients -> Create client.On the General Settings screen:
  • Client type: SAML
  • Client ID: paste the SP Entity ID provided by CodeRabbit
  • Name: CodeRabbit (display-only)
Keycloak Create client General Settings screen with SAML selected and Client ID filled in
Click Next. On the Login Settings screen:
  • Valid redirect URIs: paste CodeRabbit’s ACS URL
  • Master SAML Processing URL: paste the same ACS URL
  • Leave the remaining fields blank.
Keycloak Create client Login Settings screen with the ACS URL in both the Valid redirect URIs and Master SAML Processing URL fields
Click Save. You land on the client’s Settings tab.
2

Tune the SAML settings

On the client’s Settings tab, set the following values. Defaults for unlisted fields are fine.SAML capabilities
FieldValue
Name ID formatemail
Force name ID formatOn
Force POST bindingOn
Include AuthnStatementOn
Keycloak client SAML Capabilities section configured with email Name ID format, Force POST binding On, and Include AuthnStatement On
Signature and Encryption
FieldValue
Sign documentsOn
Sign assertionsOn
Signature algorithmRSA_SHA256
Keycloak client Signature and Encryption section with Sign Documents and Sign Assertions both On and Signature algorithm set to RSA_SHA256
Switch to the Keys tab and turn Client signature required Off.
This setting is required. CodeRabbit does not sign outgoing AuthnRequests — leaving Client signature required On causes Keycloak to reject the request with invalid_signature and blocks the sign-in flow entirely.
Keycloak client Keys tab with Client signature required toggled Off
Save each change.
3

Add attribute mappers

CodeRabbit expects email, first name, and last name to be present in the SAML assertion under specific attribute names. Add three mappers so the assertion includes them.Open the client -> Client scopes tab -> click the row whose name ends in -dedicated (the dedicated client scope) -> switch to the Mappers tab.Click Configure a new mapper -> By configuration -> User Property. Add one mapper per row:
User PropertySAML Attribute NameSAML Attribute NameFormatFriendly Name
emailmailBasicEmail
firstNamefirstNameBasicFirst name
lastNamelastNameBasicLast name
The SAML Attribute Name column is what CodeRabbit reads from the assertion — the values must match the table exactly, including the mail spelling for email.
Keycloak dedicated client scope Mappers tab showing email, firstName, and lastName User Property mappers
Each mapper form looks like this — confirm the Property, Friendly Name, SAML Attribute Name, and SAML Attribute NameFormat match the table above before saving.
Keycloak User Property mapper configuration panel with Property set to email, SAML Attribute Name set to mail, and NameFormat set to Basic
Save each mapper.
4

Grant access to your users

Make sure the users who should sign in to CodeRabbit exist in this realm, with:
  • An email that ends in the domain you registered with CodeRabbit
  • First name and Last name populated — those flow into CodeRabbit via the mappers above
If your realm restricts client access via client-level roles or custom authentication flows, ensure the users you want to sign in have the appropriate access for this client. Users who cannot access the client in Keycloak cannot complete SSO login to CodeRabbit.
5

Send the metadata to CodeRabbit and validate access

Collect your IdP metadata URL:
https://<keycloak-host>/realms/<realm-name>/protocol/saml/descriptor
Open it in a browser to sanity-check. You should see an XML EntityDescriptor containing an IDPSSODescriptor, an HTTP-POST SingleSignOnService endpoint, and a ds:X509Certificate block.Send the following to your account team:
  • Your organization’s email domain
  • The metadata URL above — or, if Keycloak is not reachable publicly, the downloaded XML file or the manual values described in What CodeRabbit needs from you
After CodeRabbit confirms the configuration is enabled, test the sign-in flow with a user account whose email matches your configured domain. Assigned users are added to your CodeRabbit organization automatically on first SSO login.

​
What’s next

Enterprise SSO overview

Return to the SSO overview to see the shared rollout flow and other supported providers.

Roles and permissions

Pair SSO with the right access controls by reviewing how roles work in your CodeRabbit organization.

Support

Reach out if you need the CodeRabbit service provider values or help troubleshooting the Keycloak setup.