Follow the sections in this guide to set up Keycloak SSO.
{% note %}
Security requirements for your **production** environment:
- **DELETE** the admin default account shipped by OM in case you had [Basic Authentication](/deployment/security/basic-auth)
enabled before configuring the authentication with Keycloak SSO.
- **UPDATE** the Private / Public keys used for the [JWT Tokens](/deployment/security/enable-jwt-tokens). The keys we provide
by default are aimed only for quickstart and testing purposes. They should NEVER be used in a production installation.
{% /note %}
## Create Server Credentials
### Step 1: Access the Keycloak Admin Console
- You need an administrator account. If you don't have, see [Creating the first administrator](https://www.keycloak.org/docs/latest/server_admin/#creating-first-admin_server_administration_guide).
- Go to the URL for the Admin Console. For example, for localhost, use this URL: http://localhost:8080/admin/
- The Keycloak use Realms as the primary form of organization,we can't use the realm "master" for new clients (apps), only for administration, so change for your specific realm or create a new.
- In this example we are used an existing one called "Data-sec".
After the applying these steps, the users in your realm are able to login in the openmetadata, as a suggestion create a user called "admin-user". Now you can update the configuration of your deployment:
{% inlineCalloutContainer %}
{% inlineCallout
color="violet-70"
icon="celebration"
bold="Docker Security"
href="/deployment/security/keycloak/docker" %}
Configure Keycloak SSO for your Docker Deployment.
Configure Keycloak SSO for your Kubernetes Deployment.
{% /inlineCallout %}
{% /inlineCalloutContainer %}
{% note %}
A dockerized demo for showing how this SSO works with OpenMetadata can be found [here](https://github.com/open-metadata/openmetadata-demo/tree/main/keycloak-sso).