# Keycloak SSO Learn how to connect your Keycloak realm with Better Stack to enable single sign-on (SSO) for you and your colleagues. ### SSO setup 1. Go to [Single Sign-On configuration](https://betterstack.com/settings/sso ";_blank"). 2. Click **Connect** on the **Generic SAML SSO** panel and select **Keycloak**. 3. Note the **Entity ID**. You will need it in a moment. #### In Keycloak 1. Sign in to your Keycloak admin console. 2. Select the realm you want to connect to Better Stack. 3. In the left menu, go to **Clients** and click **Create client**. 4. Enter the following: * **Client type**: **SAML** * **Client ID**: The **Entity ID** from Better Stack. * **Name**: Any name (e.g., `Better Stack`). 5. On the next page, for **Valid redirect URIs**, enter `https://betterstack.com/*`. 6. On the next page, enable the **Sign assertions** option. 7. Go to the **Keys** tab and disable the **Client signature required** option. 8. Go to the **Client scopes** tab and click on the scope with your **Entity ID** in its name. 9. Click **Add predefined mapper** and select **X500 email**, **X500 givenName**, and **X500 surname**. Click **Add**. 10. Click **X500 email** and change **SAML Attribute Name** to `email`. 11. Click **X500 givenName** and change **SAML Attribute Name** to `first_name`. 12. Click **X500 surname** and change **SAML Attribute Name** to `last_name`. 13. In the left menu, click **Realm settings**. 14. At the bottom of the page, click **SAML 2.0 Identity Provider Metadata**. This will open an XML file. 15. Copy the content of the `` element. 16. Copy the `Location` attribute (URL) from the `` element where `Binding` is `urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST`. #### In Better Stack 1. Paste the certificate content into the **X.509 Certificate** field. 2. Paste the URL into the **Identity Provider Single Sign-On URL** field. 3. Click **Connect**. You will be redirected to Keycloak to sign in. You're done. Your Keycloak Single Sign-On is now configured.