> ## Documentation Index > Fetch the complete documentation index at: https://docs.coderabbit.ai/llms.txt > Use this file to discover all available pages before exploring further. # Keycloak SAML setup > Configure SAML-based single sign-on between Keycloak and CodeRabbit for your Enterprise organization. export const EnterprisePlanBadge = ({tip = "This feature is available exclusively as part of the Enterprise plan. Please refer to our pricing page for more information about our plans and features.", title = "Enterprise Plan", cta = "Read more", href = "https://coderabbit.ai/pricing", disabled = false}) => { return {title} ; }; export const AdminRoleBadge = ({tip = "This feature requires an organization owner, an admin role or the corresponding permission. Regular Members do not have access.", title = "Admin Only", cta = "View roles", href = "/management/roles", disabled = false}) => { return {title} ; }; Use this guide to configure Keycloak as the identity provider for CodeRabbit. The current setup is support-assisted: you create the Keycloak SAML client, collect the required metadata, and then send the final values to CodeRabbit for enablement. ## Before you start Make sure you have: * A running **Keycloak** instance and access to its **admin console** * A **realm** to host the CodeRabbit SAML client * The email domain that should authenticate through CodeRabbit * A way to reach your account team to request CodeRabbit's service provider values and submit your final metadata Your Keycloak realm descriptor URL must be reachable from CodeRabbit so we can fetch the IdP metadata automatically. If your Keycloak is only accessible on an internal network, see [What CodeRabbit needs from you](#what-coderabbit-needs-from-you) for the file-upload alternative. ## What CodeRabbit provides Before you configure the Keycloak client, reach out to your account team to request these values: * **Assertion Consumer Service (ACS) URL** * **SP Entity ID** Keycloak requires both values to create the SAML client. ## What CodeRabbit needs from you After you configure the Keycloak client, send these items to CodeRabbit: * **Email domain**: for example, `yourcompany.com` * **IdP metadata**, in one of these forms (listed in order of preference): * **Metadata URL**: the realm SAML descriptor URL — `https:///realms//protocol/saml/descriptor` * **Metadata XML file**: download the XML from the URL above and attach it — use this if your Keycloak is not reachable from the public internet * **Manual values**, if neither of the above is possible: * **Sign-on URL**: the `Location` attribute of the `HTTP-POST` `SingleSignOnService` element in the descriptor * **Issuer**: the `entityID` attribute of the `EntityDescriptor` element (typically `https:///realms/`) * **Signing certificate**: the contents of `ds:X509Certificate`, saved as a `.pem` file ## Set up the Keycloak SAML client Sign in to the Keycloak admin console, switch into the realm you want to use, then go to **Clients** -> **Create client**. On the **General Settings** screen: * **Client type**: `SAML` * **Client ID**: paste the **SP Entity ID** provided by CodeRabbit * **Name**: `CodeRabbit` (display-only) Keycloak Create client General Settings screen with SAML selected and Client ID filled in Click **Next**. On the **Login Settings** screen: * **Valid redirect URIs**: paste CodeRabbit's **ACS URL** * **Master SAML Processing URL**: paste the **same ACS URL** * Leave the remaining fields blank. Keycloak Create client Login Settings screen with the ACS URL in both the Valid redirect URIs and Master SAML Processing URL fields Click **Save**. You land on the client's Settings tab. On the client's **Settings** tab, set the following values. Defaults for unlisted fields are fine. **SAML capabilities** | Field | Value | | ---------------------- | ------- | | Name ID format | `email` | | Force name ID format | On | | Force POST binding | On | | Include AuthnStatement | On | Keycloak client SAML Capabilities section configured with email Name ID format, Force POST binding On, and Include AuthnStatement On **Signature and Encryption** | Field | Value | | ------------------- | ------------ | | Sign documents | On | | Sign assertions | On | | Signature algorithm | `RSA_SHA256` | Keycloak client Signature and Encryption section with Sign Documents and Sign Assertions both On and Signature algorithm set to RSA_SHA256 Switch to the **Keys** tab and turn **Client signature required** **Off**. This setting is required. CodeRabbit does not sign outgoing AuthnRequests — leaving **Client signature required** On causes Keycloak to reject the request with `invalid_signature` and blocks the sign-in flow entirely. Keycloak client Keys tab with Client signature required toggled Off Save each change. CodeRabbit expects email, first name, and last name to be present in the SAML assertion under specific attribute names. Add three mappers so the assertion includes them. Open the client -> **Client scopes** tab -> click the row whose name ends in `-dedicated` (the dedicated client scope) -> switch to the **Mappers** tab. Click **Configure a new mapper** -> **By configuration** -> **User Property**. Add one mapper per row: | User Property | SAML Attribute Name | SAML Attribute NameFormat | Friendly Name | | ------------- | ------------------- | ------------------------- | ------------- | | `email` | `mail` | `Basic` | Email | | `firstName` | `firstName` | `Basic` | First name | | `lastName` | `lastName` | `Basic` | Last name | The **SAML Attribute Name** column is what CodeRabbit reads from the assertion — the values must match the table exactly, including the `mail` spelling for email. Keycloak dedicated client scope Mappers tab showing email, firstName, and lastName User Property mappers Each mapper form looks like this — confirm the **Property**, **Friendly Name**, **SAML Attribute Name**, and **SAML Attribute NameFormat** match the table above before saving. Keycloak User Property mapper configuration panel with Property set to email, SAML Attribute Name set to mail, and NameFormat set to Basic Save each mapper. Make sure the users who should sign in to CodeRabbit exist in this realm, with: * An **email** that ends in the domain you registered with CodeRabbit * **First name** and **Last name** populated — those flow into CodeRabbit via the mappers above If your realm restricts client access via client-level roles or custom authentication flows, ensure the users you want to sign in have the appropriate access for this client. Users who cannot access the client in Keycloak cannot complete SSO login to CodeRabbit. Collect your IdP metadata URL: ``` https:///realms//protocol/saml/descriptor ``` Open it in a browser to sanity-check. You should see an XML `EntityDescriptor` containing an `IDPSSODescriptor`, an `HTTP-POST` `SingleSignOnService` endpoint, and a `ds:X509Certificate` block. Send the following to your account team: * Your organization's email domain * The metadata URL above — or, if Keycloak is not reachable publicly, the downloaded XML file or the manual values described in [What CodeRabbit needs from you](#what-coderabbit-needs-from-you) After CodeRabbit confirms the configuration is enabled, test the sign-in flow with a user account whose email matches your configured domain. Assigned users are added to your CodeRabbit organization automatically on first SSO login. ## What's next Return to the SSO overview to see the shared rollout flow and other supported providers. Pair SSO with the right access controls by reviewing how roles work in your CodeRabbit organization. Reach out if you need the CodeRabbit service provider values or help troubleshooting the Keycloak setup.