OpenMetadata/openmetadata-docs/content/deployment/security/keycloak/docker.md

---
title: Keycloak SSO for Docker
slug: /deployment/security/keycloak/docker
---

# Keycloak SSO for Docker

To enable security for the Docker deployment, follow the next steps:

## 1. Create an .env file

Create an `openmetadata_keycloak.env` file and add the following contents as an example. Use the information
generated when setting up the account.

The configuration below already uses the presets shown in the example of keycloak configurations, you can change to yours.

### 1.1 Before 0.12.1

```shell
# OpenMetadata Server Authentication Configuration
AUTHORIZER_CLASS_NAME=org.openmetadata.service.security.DefaultAuthorizer
AUTHORIZER_REQUEST_FILTER=org.openmetadata.service.security.JwtFilter
AUTHORIZER_ADMIN_PRINCIPALS=[admin-user]  # Your `name` from name@domain.com
AUTHORIZER_INGESTION_PRINCIPALS=[ingestion-bot,service-account-open-metadata]
AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain

AUTHENTICATION_PROVIDER=custom-oidc
CUSTOM_OIDC_AUTHENTICATION_PROVIDER_NAME=KeyCloak
AUTHENTICATION_PUBLIC_KEYS=[{http://localhost:8081/realms/data-sec/protocol/openid-connect/certs}]
AUTHENTICATION_AUTHORITY={http://localhost:8081/realms/data-sec}
AUTHENTICATION_CLIENT_ID=open-metadata # Update with your Client ID
AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback

# Airflow Configuration
AIRFLOW_AUTH_PROVIDER=custom-oidc
OM_AUTH_AIRFLOW_CUSTOM_OIDC_CLIENT_ID=open-metadata # Update with your Client ID
OM_AUTH_AIRFLOW_CUSTOM_OIDC_SECRET_KEY={Secret Key} # Update with your Secret Key
OM_AUTH_AIRFLOW_CUSTOM_OIDC_TOKEN_ENDPOINT_URL="http://localhost:8081/realms/data-sec/protocol/openid-connect/token"
```

### 1.2 After 0.12.1

```shell
# OpenMetadata Server Authentication Configuration
AUTHORIZER_CLASS_NAME=org.openmetadata.service.security.DefaultAuthorizer
AUTHORIZER_REQUEST_FILTER=org.openmetadata.service.security.JwtFilter
AUTHORIZER_ADMIN_PRINCIPALS=[admin-user]  # Your `name` from name@domain.com
AUTHORIZER_INGESTION_PRINCIPALS=[ingestion-bot,service-account-open-metadata]
AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain

AUTHENTICATION_PROVIDER=custom-oidc
CUSTOM_OIDC_AUTHENTICATION_PROVIDER_NAME=KeyCloak
AUTHENTICATION_PUBLIC_KEYS=[{http://localhost:8081/realms/data-sec/protocol/openid-connect/certs}]
AUTHENTICATION_AUTHORITY={http://localhost:8081/realms/data-sec}
AUTHENTICATION_CLIENT_ID=open-metadata # Update with your Client ID
AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
```

### 1.3 After 0.13.0

```shell
# OpenMetadata Server Authentication Configuration
AUTHORIZER_CLASS_NAME=org.openmetadata.service.security.DefaultAuthorizer
AUTHORIZER_REQUEST_FILTER=org.openmetadata.service.security.JwtFilter
AUTHORIZER_ADMIN_PRINCIPALS=[admin-user]  # Your `name` from name@domain.com
AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain

AUTHENTICATION_PROVIDER=custom-oidc
CUSTOM_OIDC_AUTHENTICATION_PROVIDER_NAME=KeyCloak
AUTHENTICATION_PUBLIC_KEYS=[{http://localhost:8081/realms/data-sec/protocol/openid-connect/certs}]
AUTHENTICATION_AUTHORITY={http://localhost:8081/realms/data-sec}
AUTHENTICATION_CLIENT_ID=open-metadata # Update with your Client ID
AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback
```

**Note:** Follow [this](/how-to-guides/feature-configurations/bots) guide to configure the `ingestion-bot` credentials for
ingesting data from Airflow.

## 2. Start Docker

```commandline
docker compose --env-file ~/openmetadata_keycloak.env up -d
```
PR with SSO keycloak documentation (#6722) * Documentation about keycloak SSO integration * Adjust to show in menu * Adjust label Co-authored-by: Luan Paschoal <luan.paschoal@extremedigital.com.br> 2022-08-15 16:35:28 -03:00			`---`
			`title: Keycloak SSO for Docker`
			`slug: /deployment/security/keycloak/docker`
			`---`

			`# Keycloak SSO for Docker`

			`To enable security for the Docker deployment, follow the next steps:`

			`## 1. Create an .env file`

Minor corrections in SSO related docs (#7356) 2022-09-12 05:06:30 +02:00			Create an `openmetadata_keycloak.env` file and add the following contents as an example. Use the information
PR with SSO keycloak documentation (#6722) * Documentation about keycloak SSO integration * Adjust to show in menu * Adjust label Co-authored-by: Luan Paschoal <luan.paschoal@extremedigital.com.br> 2022-08-15 16:35:28 -03:00			`generated when setting up the account.`

			`The configuration below already uses the presets shown in the example of keycloak configurations, you can change to yours.`

Doc: Add missing docs for Bots configuration (#7958) * Add missing docs for Bots configuration * Remove unused images 2022-10-07 12:47:43 +02:00			`### 1.1 Before 0.12.1`

PR with SSO keycloak documentation (#6722) * Documentation about keycloak SSO integration * Adjust to show in menu * Adjust label Co-authored-by: Luan Paschoal <luan.paschoal@extremedigital.com.br> 2022-08-15 16:35:28 -03:00			```shell
			`# OpenMetadata Server Authentication Configuration`
Fix Menu , Connectors should've its own section after deployment (#7950) * Fix Menu * Fix broken links * Fix config values * Fix config values 2022-10-05 21:54:02 -07:00			`AUTHORIZER_CLASS_NAME=org.openmetadata.service.security.DefaultAuthorizer`
			`AUTHORIZER_REQUEST_FILTER=org.openmetadata.service.security.JwtFilter`
PR with SSO keycloak documentation (#6722) * Documentation about keycloak SSO integration * Adjust to show in menu * Adjust label Co-authored-by: Luan Paschoal <luan.paschoal@extremedigital.com.br> 2022-08-15 16:35:28 -03:00			AUTHORIZER_ADMIN_PRINCIPALS=[admin-user] # Your `name` from name@domain.com
			`AUTHORIZER_INGESTION_PRINCIPALS=[ingestion-bot,service-account-open-metadata]`
			`AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain`

			`AUTHENTICATION_PROVIDER=custom-oidc`
			`CUSTOM_OIDC_AUTHENTICATION_PROVIDER_NAME=KeyCloak`
Fix Keycloak documentation (#8149) 2022-10-14 17:37:44 +02:00			`AUTHENTICATION_PUBLIC_KEYS=[{http://localhost:8081/realms/data-sec/protocol/openid-connect/certs}]`
			`AUTHENTICATION_AUTHORITY={http://localhost:8081/realms/data-sec}`
PR with SSO keycloak documentation (#6722) * Documentation about keycloak SSO integration * Adjust to show in menu * Adjust label Co-authored-by: Luan Paschoal <luan.paschoal@extremedigital.com.br> 2022-08-15 16:35:28 -03:00			`AUTHENTICATION_CLIENT_ID=open-metadata # Update with your Client ID`
			`AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback`

			`# Airflow Configuration`
			`AIRFLOW_AUTH_PROVIDER=custom-oidc`
			`OM_AUTH_AIRFLOW_CUSTOM_OIDC_CLIENT_ID=open-metadata # Update with your Client ID`
fix: docs env OM_AUTH_AIRFLOW_CUSTOM_OIDC_SECRET_KEY (#7053) 2022-08-30 17:44:39 +05:30			`OM_AUTH_AIRFLOW_CUSTOM_OIDC_SECRET_KEY={Secret Key} # Update with your Secret Key`
Fix Keycloak documentation (#8149) 2022-10-14 17:37:44 +02:00			`OM_AUTH_AIRFLOW_CUSTOM_OIDC_TOKEN_ENDPOINT_URL="http://localhost:8081/realms/data-sec/protocol/openid-connect/token"`
PR with SSO keycloak documentation (#6722) * Documentation about keycloak SSO integration * Adjust to show in menu * Adjust label Co-authored-by: Luan Paschoal <luan.paschoal@extremedigital.com.br> 2022-08-15 16:35:28 -03:00			```

fix: Docs for Authrizer Ingestion Principals deprecation note (#8997) * update docs for deprecated Ingestion Bot Principal * Add section example for custom airflow k8s config 2022-11-24 12:33:59 +05:30			`### 1.2 After 0.12.1`
Doc: Add missing docs for Bots configuration (#7958) * Add missing docs for Bots configuration * Remove unused images 2022-10-07 12:47:43 +02:00
			```shell
			`# OpenMetadata Server Authentication Configuration`
			`AUTHORIZER_CLASS_NAME=org.openmetadata.service.security.DefaultAuthorizer`
			`AUTHORIZER_REQUEST_FILTER=org.openmetadata.service.security.JwtFilter`
			AUTHORIZER_ADMIN_PRINCIPALS=[admin-user] # Your `name` from name@domain.com
			`AUTHORIZER_INGESTION_PRINCIPALS=[ingestion-bot,service-account-open-metadata]`
			`AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain`

			`AUTHENTICATION_PROVIDER=custom-oidc`
			`CUSTOM_OIDC_AUTHENTICATION_PROVIDER_NAME=KeyCloak`
Fix Keycloak documentation (#8149) 2022-10-14 17:37:44 +02:00			`AUTHENTICATION_PUBLIC_KEYS=[{http://localhost:8081/realms/data-sec/protocol/openid-connect/certs}]`
			`AUTHENTICATION_AUTHORITY={http://localhost:8081/realms/data-sec}`
Doc: Add missing docs for Bots configuration (#7958) * Add missing docs for Bots configuration * Remove unused images 2022-10-07 12:47:43 +02:00			`AUTHENTICATION_CLIENT_ID=open-metadata # Update with your Client ID`
			`AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback`
			```

fix: Docs for Authrizer Ingestion Principals deprecation note (#8997) * update docs for deprecated Ingestion Bot Principal * Add section example for custom airflow k8s config 2022-11-24 12:33:59 +05:30			`### 1.3 After 0.13.0`

			```shell
			`# OpenMetadata Server Authentication Configuration`
			`AUTHORIZER_CLASS_NAME=org.openmetadata.service.security.DefaultAuthorizer`
			`AUTHORIZER_REQUEST_FILTER=org.openmetadata.service.security.JwtFilter`
			AUTHORIZER_ADMIN_PRINCIPALS=[admin-user] # Your `name` from name@domain.com
			`AUTHORIZER_PRINCIPAL_DOMAIN=open-metadata.org # Update with your domain`

			`AUTHENTICATION_PROVIDER=custom-oidc`
			`CUSTOM_OIDC_AUTHENTICATION_PROVIDER_NAME=KeyCloak`
			`AUTHENTICATION_PUBLIC_KEYS=[{http://localhost:8081/realms/data-sec/protocol/openid-connect/certs}]`
			`AUTHENTICATION_AUTHORITY={http://localhost:8081/realms/data-sec}`
			`AUTHENTICATION_CLIENT_ID=open-metadata # Update with your Client ID`
			`AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback`
			```

Doc: Add missing docs for Bots configuration (#7958) * Add missing docs for Bots configuration * Remove unused images 2022-10-07 12:47:43 +02:00			Note: Follow [this](/how-to-guides/feature-configurations/bots) guide to configure the `ingestion-bot` credentials for
			`ingesting data from Airflow.`

PR with SSO keycloak documentation (#6722) * Documentation about keycloak SSO integration * Adjust to show in menu * Adjust label Co-authored-by: Luan Paschoal <luan.paschoal@extremedigital.com.br> 2022-08-15 16:35:28 -03:00			`## 2. Start Docker`

			```commandline
Minor corrections in SSO related docs (#7356) 2022-09-12 05:06:30 +02:00			`docker compose --env-file ~/openmetadata_keycloak.env up -d`
PR with SSO keycloak documentation (#6722) * Documentation about keycloak SSO integration * Adjust to show in menu * Adjust label Co-authored-by: Luan Paschoal <luan.paschoal@extremedigital.com.br> 2022-08-15 16:35:28 -03:00			```