# Keycloak SSO

Use this guide when your organization signs in with Keycloak. Lettermint connects to a Keycloak OpenID Connect client.

{/* Screenshot placeholder: /docs/images/sso/providers/keycloak-client.png */}

## Before you start

You need access to the Keycloak realm that should authenticate Lettermint users. Keycloak recommends using specific HTTPS redirect URIs for production web applications.

## Keycloak setup

1. Open the Keycloak Admin Console.
2. Select the realm used by your organization.
3. Create an OpenID Connect client for Lettermint.
4. Configure the client as confidential.
5. Add the Lettermint OIDC callback URL from the SSO guide to **Valid redirect URIs**.
6. Copy the client ID and client secret.
7. Note the realm URL.

## Lettermint setup

In the Lettermint SSO setup screen, choose **Keycloak** and enter:

| Field | Value |
|-------|-------|
| Domain | Your managed email domain, for example `example.com`. |
| Metadata URL | `https://{instance}/realms/{realm}/.well-known/openid-configuration` |
| Client ID | The Keycloak client ID. |
| Client secret | The Keycloak client secret. |

Replace `{instance}` with your Keycloak hostname and `{realm}` with the realm name.

## References

- [Keycloak: Managing OpenID Connect clients](https://www.keycloak.org/docs/latest/server_admin/#_clients)
- [Keycloak: Redirect URI guidance](https://www.keycloak.org/docs/25.0.6/securing_apps/index.html#redirect-uris)