How to set up SSO with Keycloak:
- Open the Configurations tab on the left side of the screen and go to the SSO settings tab, move the switch to On;
- Open your account in Keycloak, choose an existing realm, or add a new one.
- Go to Configure —> Clients and create a new one:
- Go back to the SSO setting tab in Precoro, copy Entity ID and paste it to the Client ID field
- Change Client Protocol to saml
- Copy ACS from your SSO configuration tab in Precoro and paste it in the Client SAML Endpoint field
- Change the settings of a new client:
- Turn on Sign Assertions
- Root and Base URL must be https://precoro.com/
- Go to the SSO setting tab in Precoro, copy ACS and paste it to ACS POST Binding URL field
- To fill in Logout Service POST- and Logout Service Redirect Binding URL fields, copy Single Logout Response Endpoint from your SSO configuration tab in Precoro and paste it.
- Switch to the SAML Keys tab in the client’s profile:
- Go to the SSO settings tab in Precoro and download the Precoro Certificate
- Press Import and choose Certificate PEM as Archive Format
- Import this certificate to your SAML Keys
- Go to Manage —> Users and create a new user:
- Make sure you enter your valid Precoro account email (add it both as username and as email)
- First Name and Last name should be the same as in Precoro
- Turn the switch Email Verified on
- Switch to the Credentials tab in the user’s profile and set a password.
- Open Configure —> Realm Settings —> Login tab:
- Change Require SSL to none
- Switch to General tab, and save Metadata endpoint as .xml file
- Find entityID in this file, copy it, and paste to Step 3 in your SSO configuration tab in Precoro
- Upload downloaded .xml file to Precoro
You can now access Precoro with Keycloak:
Easily log in and log out
How can you invite new users to Precoro if the SSO is enabled?
- You can still invite users to your Precoro company account from the User Management tab. But first, this user must be added to your user list in Keycloak.
- A new user will be redirected to the Company Login page from the invitation email.
Please note:
If you give the user access to Precoro through Keycloak — the user won’t be added to Precoro
If you change the user’s email in Keycloak, it won’t be changed in Precoro
If you end a session in Keycloak — you’ll be still logged-in in Precoro
If you delete or disable a user in Keycloak, it won’t be deleted or disabled in Precoro (but won’t be able to log in)