Documentation Index
Fetch the complete documentation index at: https://docs.getbifrost.ai/llms.txt
Use this file to discover all available pages before exploring further.
Overview
This guide walks you through configuring Keycloak as your identity provider for Bifrost Enterprise. Keycloak uses standard OIDC with JWKS-based JWT validation, and Bifrost uses the same client for both user login and Admin REST API access (via the Service Account of a confidential client).
After completing this guide, users will sign in with their Keycloak credentials and admins can bulk-import users and groups via the Keycloak Admin REST API.
Prerequisites
- A running Keycloak server (self-hosted or cloud) with admin access to a realm
- Bifrost Enterprise deployed and accessible
- The redirect URI for your Bifrost instance (e.g.
https://your-bifrost-domain.com/login)
- Bifrost roles created for the roles you plan to map
Step 1: Create a Client
- In the Keycloak Admin Console, select your realm and go to Clients → Create client.
- Configure the client:
| Field | Value |
|---|
| Client type | OpenID Connect |
| Client ID | bifrost (or your preferred identifier) |
| Name | Bifrost Enterprise |
- On the Capability config step enable:
- Client authentication (makes it a confidential client)
- Standard flow (Authorization Code)
- Service accounts roles (required for Admin REST API access)
- On the Login settings step set:
| Field | Value |
|---|
| Valid redirect URIs | https://your-bifrost-domain.com/login |
| Valid post logout redirect URIs | https://your-bifrost-domain.com |
| Web origins | https://your-bifrost-domain.com |
- Save the client.
Step 2: Copy the client credentials
- Open the client and go to the Credentials tab.
- Copy the Client Secret.
Keycloak does not include realm roles or full group paths in tokens by default. Add two mappers on the client’s dedicated scope.
- Open the client → Client Scopes tab → click the client’s
-dedicated scope.
- Click Add mapper → By configuration.
Group Membership mapper
| Field | Value |
|---|
| Mapper Type | Group Membership |
| Name | groups |
| Token Claim Name | groups |
| Full group path | On |
| Add to ID token | On |
| Add to access token | On |
| Add to userinfo | On |
Bifrost uses full group paths for consistent matching across SSO and bulk provisioning flows - keep Full group path enabled.
Realm Roles mapper
| Field | Value |
|---|
| Mapper Type | User Realm Role |
| Name | realm_roles |
| Token Claim Name | realm_access.roles |
| Claim JSON Type | String |
| Multivalued | On |
| Add to ID token | On |
| Add to access token | On |
Step 4: Assign Admin REST API permissions
The same client runs both authentication and provisioning. Grant it read access to the realm so it can list users and groups.
- Open the client → Service accounts roles tab.
- Click Assign role and select:
realm-management → view-users (required)realm-management → view-realm (recommended, enables group and role listing)realm-management → query-groups (optional, for group filters)
Step 5: Create realm roles and groups
Create the roles and groups you plan to map into Bifrost.
- Realm → Realm roles → Create role for each role (e.g.
bifrost-admin, bifrost-developer, bifrost-viewer).
- Realm → Groups → Create group for each team you want to sync (e.g.
/platform, /data-science).
- Assign users to the appropriate roles and groups under Users → your user → Role mapping / Groups.
Using the Bifrost dashboard
- In Bifrost, go to Governance → User Provisioning.
- Select Keycloak as the SCIM Provider.
- Fill in the fields:
| Field | Value |
|---|
| Server URL | https://keycloak.company.com (no /realms/... suffix) |
| Realm | Your realm name (e.g. master, bifrost-prod) |
| Client ID | Client ID from Step 1 |
| Client Secret | Client Secret from Step 2 |
| Audience | Optional - defaults to Client ID |
| Team IDs Field | Leave as groups (default) or change if you used a different mapper name |
- Click Verify - Bifrost connects to Keycloak’s JWKS and Admin REST API to confirm the client and service-account roles.
- Configure Attribute → Role / Team / Business Unit mappings if needed.
- Toggle Enabled and click Save Configuration.
Using config.json
{
"scim_config": {
"enabled": true,
"provider": "keycloak",
"config": {
"serverUrl": "https://keycloak.company.com",
"realm": "bifrost-prod",
"clientId": "bifrost",
"clientSecret": "${KEYCLOAK_CLIENT_SECRET}",
"teamIdsField": "groups"
}
}
}
Configuration reference
| Field | Required | Description |
|---|
serverUrl | Yes | Base URL of the Keycloak server. Must be a valid URL (e.g. https://keycloak.company.com) and must not include /realms/.... |
realm | Yes | Realm name. |
clientId | Yes | Client ID created in Step 1. |
clientSecret | Yes | Client secret - required because the client is confidential. |
audience | No | Expected JWT audience. Defaults to clientId. |
teamIdsField | No | JWT claim for group IDs. Defaults to groups. |
attributeRoleMappings | No | Ordered list of attribute→role mappings. |
attributeTeamMappings | No | Attribute→team mappings (all matches apply). |
attributeBusinessUnitMappings | No | Attribute→business-unit mappings (all matches apply). |
Testing the Integration
- Open the Bifrost dashboard in an incognito window.
- You’ll be redirected to Keycloak’s login page.
- Sign in with a Keycloak user that has one of the roles you mapped.
- Verify the user appears under Governance → Users with the expected role and teams.
- From Governance → User Provisioning → Import Users, verify the service account can list users.
Troubleshooting
serverUrl must not include /realms/{realm}
The serverUrl field is the base Keycloak URL. Set the realm in the separate Realm field. Example: https://keycloak.company.com + realm bifrost-prod - not https://keycloak.company.com/realms/bifrost-prod.
Users redirected back to login
- Confirm the client’s Valid redirect URIs exactly match your Bifrost login URL (trailing slash matters).
- Verify the client is Enabled in Keycloak.
Roles not appearing in the token
- Check that the User Realm Role mapper adds to both ID and Access tokens.
- Use
Evaluate on the client scope to preview the token a user would receive.
Service account cannot list users
- Confirm
realm-management → view-users is assigned under Service accounts roles.
- If you enabled Authorization on the client, service account tokens may not work - disable Authorization (fine-grained authz) for this client.
jwks keys not found
- Make sure the server URL is reachable from Bifrost. The JWKS endpoint is
{serverUrl}/realms/{realm}/protocol/openid-connect/certs.
Next Steps
