# Keycloak {% hint style="danger" %} If Keycloak and CISO Assistant are both deployed locally with docker, you'll need to make sure that both containers can communicate together. You can do this with a [bridge network](https://docs.docker.com/engine/network/drivers/bridge/). {% endhint %} {% tabs %} {% tab title="SAML" %} Go into your **Keycloak admin console** 1. Open the sidebar menu > **Clients** and **Create client**

2. Choose **SAML** client type and name it **ciso-assistant** or with your custom **SP Entity ID**

3. Fill the **Home URL** with your `` and **Valid redirect URIs** with ``

If you have some problems to configure these urls you can ask for help on [Discord](https://discord.gg/8C4X7ndQQ4) or by emailing us 4. Go into **Keys** and disable **Signing keys config**

5. Go into **Advanced** and fill **ACS field** with `` (on a cloud instance it is simply ``)

6. Go to **Client scopes** and click on **ciso-assistant-dedicated**

7. **Add a predefined mapper** and check all **X500** ones

8. Click on **X500 surname** and replace **SAML Attribute name** with `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname`

9. Click on **X500 givenName** and replace **SAML Attribute name** with `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname`

10. Go into **Realm settings > General**, you will find the **Metadata URL**

11. You'll find inside the **Metadata URL** the **Entity ID**

{% endtab %} {% tab title="OpenID Connect (OIDC)" %} Go into your **Keycloak admin console** 1. Open the sidebar menu > **Clients** and **Create client**

2. Choose **OpenID Connect** client type and give it a **Client ID**, then click **Next**![](/files/AjTUP2eI9t0ImjI6i8Zm) 3. Enable **Client authentication**, make sure **Standard flow** is selected, then click **Next**![](/files/EG2OmStBAM0KDb08uSTs) 4. Enter your deployment's **Root URL**. It is the URL of your frontend. 1. Set it to `` 2. For cloud deployments, you must set it to `` 5. Set the **Home URL** to **`/`** 6. Enter your **Valid redirect URIs** 1. Set it to `/api/accounts/oidc/openid_connect/login/callback/` 2. For cloud deployments, you must set it to `/api/accounts/oidc/openid_connect/login/callback/`

7. Once your client is created, you can find its **Client secret** under the **Credentials** tab. You can copy it from there

8. Go into **Realm settings > General** to find the **OpenID Endpoint Configuration**, which you will have to paste into CISO Assistant's **Server URL** SSO parameter

{% endtab %} {% endtabs %} {% hint style="warning" %} Adding a user in your application doesn't automatically create the user on CISO Assistant {% endhint %} You can now [configure CISO Assistant](https://intuitem.gitbook.io/ciso-assistant/features-highlights/sso#configure-ciso-assistant-with-saml) with the **parameters** you've retrieved. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://intuitem.gitbook.io/ciso-assistant/features-focus/sso/identity-providers/keycloak.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.