Explore documentation
  1. Welcome 👋
  2. Product
    1. Tracing ↗
    2. Incident management ↗
    3. Uptime monitoring ↗
    4. Log management ↗
    5. Infrastructure monitoring ↗
    6. Status page ↗
    7. Error tracking ↗
    8. Warehouse ↗
  3. Integrations
    1. Integrating with Better Stack
    2. iOS & Android
    3. SSO providers
      1. AWS SSO
      2. Azure SSO
      3. Okta SSO
      4. Other SSO providers
        1. Google SAML SSO
        2. OneLogin SSO
        3. PingIdentity SSO
        4. Authentik SSO
        5. JumpCloud SSO
        6. Keycloak SSO
    4. Terraform
    5. MCP server
  4. Team and account management
    1. Team management
    2. Account settings
    3. Reporting
    4. Audit logs
  5. Design
    1. Brand guidelines

Keycloak SSO

Learn how to connect your Keycloak realm with Better Stack to enable single sign-on (SSO) for you and your colleagues.

SSO setup

  1. Go to Single Sign-On configuration.
  2. Click Connect on the Generic SAML SSO panel and select Keycloak.
  3. Note the Entity ID. You will need it in a moment.

In Keycloak

  1. Sign in to your Keycloak admin console.
  2. Select the realm you want to connect to Better Stack.
  3. In the left menu, go to Clients and click Create client.
  4. Enter the following:
    • Client type: SAML
    • Client ID: The Entity ID from Better Stack.
    • Name: Any name (e.g., Better Stack).
  5. On the next page, for Valid redirect URIs, enter https://betterstack.com/*.
  6. On the next page, enable the Sign assertions option.
  7. Go to the Keys tab and disable the Client signature required option.
  8. Go to the Client scopes tab and click on the scope with your Entity ID in its name.
  9. Click Add predefined mapper and select X500 email, X500 givenName, and X500 surname. Click Add.
  10. Click X500 email and change SAML Attribute Name to email.
  11. Click X500 givenName and change SAML Attribute Name to first_name.
  12. Click X500 surname and change SAML Attribute Name to last_name.
  13. In the left menu, click Realm settings.
  14. At the bottom of the page, click SAML 2.0 Identity Provider Metadata. This will open an XML file.
  15. Copy the content of the <ds:X509Certificate> element.
  16. Copy the Location attribute (URL) from the <md:SingleSignOnService> element where Binding is urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST.

In Better Stack

  1. Paste the certificate content into the X.509 Certificate field.
  2. Paste the URL into the Identity Provider Single Sign-On URL field.
  3. Click Connect. You will be redirected to Keycloak to sign in.

You're done. Your Keycloak Single Sign-On is now configured.

Previous article

JumpCloud SSO

Next article

Terraform