# Keycloak {% hint style="danger" %} If Keycloak and CISO Assistant are both deployed locally with docker, you'll need to make sure that both containers can communicate together. You can do this with a [bridge network](https://docs.docker.com/engine/network/drivers/bridge/). {% endhint %} {% tabs %} {% tab title="SAML" %} Go into your **Keycloak admin console** 1. Open the sidebar menu > **Clients** and **Create client**

2. Choose **SAML** client type and name it **ciso-assistant** or with your custom **SP Entity ID**

3. Fill the **Home URL** with your `` and **Valid redirect URIs** with ``

If you have some problems to configure these urls you can ask for help on [Discord](https://discord.gg/8C4X7ndQQ4) or by emailing us 4. Go into **Keys** and disable **Signing keys config**

5. Go into **Advanced** and fill **ACS field** with `` (on a cloud instance it is simply ``)

6. Go to **Client scopes** and click on **ciso-assistant-dedicated**

7. **Add a predefined mapper** and check all **X500** ones

8. Click on **X500 surname** and replace **SAML Attribute name** with `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname`

9. Click on **X500 givenName** and replace **SAML Attribute name** with `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname`

10. Go into **Realm settings > General**, you will find the **Metadata URL**

11. You'll find inside the **Metadata URL** the **Entity ID**

{% endtab %} {% tab title="OpenID Connect (OIDC)" %} Go into your **Keycloak admin console** 1. Open the sidebar menu > **Clients** and **Create client**

2. Choose **OpenID Connect** client type and give it a **Client ID**, then click **Next**![](https://217025809-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUJGpmCYDFJNsz2CDasSm%2Fuploads%2FUKXk8pZyDbTHGs1HQGTT%2Fimage.png?alt=media\&token=fba0e5d6-e797-4558-893d-b011afc44761) 3. Enable **Client authentication**, make sure **Standard flow** is selected, then click **Next**![](https://217025809-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUJGpmCYDFJNsz2CDasSm%2Fuploads%2FfGHfvoYnfrPLzVsZtRzB%2Fimage.png?alt=media\&token=9175318a-a99a-48b8-b596-c66060c466a8) 4. Enter your deployment's **Root URL**. It is the URL of your frontend. 1. Set it to `` 2. For cloud deployments, you must set it to `` 5. Set the **Home URL** to **`/`** 6. Enter your **Valid redirect URIs** 1. Set it to `/api/accounts/oidc/openid_connect/login/callback/` 2. For cloud deployments, you must set it to `/api/accounts/oidc/openid_connect/login/callback/`

7. Once your client is created, you can find its **Client secret** under the **Credentials** tab. You can copy it from there

8. Go into **Realm settings > General** to find the **OpenID Endpoint Configuration**, which you will have to paste into CISO Assistant's **Server URL** SSO parameter

{% endtab %} {% endtabs %} {% hint style="warning" %} Adding a user in your application doesn't automatically create the user on CISO Assistant {% endhint %} You can now [configure CISO Assistant](https://intuitem.gitbook.io/ciso-assistant/features-highlights/sso#configure-ciso-assistant-with-saml) with the **parameters** you've retrieved.