diff --git a/content/docs/integrations/user-identity/img/keycloak/keycloak-sync-capability-config.png b/content/docs/integrations/user-identity/img/keycloak/keycloak-sync-capability-config.png new file mode 100644 index 000000000..83d940ba2 Binary files /dev/null and b/content/docs/integrations/user-identity/img/keycloak/keycloak-sync-capability-config.png differ diff --git a/content/docs/integrations/user-identity/img/keycloak/keycloak-sync-service-accounts-roles.png b/content/docs/integrations/user-identity/img/keycloak/keycloak-sync-service-accounts-roles.png new file mode 100644 index 000000000..3fe51438f Binary files /dev/null and b/content/docs/integrations/user-identity/img/keycloak/keycloak-sync-service-accounts-roles.png differ diff --git a/content/docs/integrations/user-identity/keycloak.mdx b/content/docs/integrations/user-identity/keycloak.mdx index 55057f0af..c93a07d8e 100644 --- a/content/docs/integrations/user-identity/keycloak.mdx +++ b/content/docs/integrations/user-identity/keycloak.mdx @@ -143,6 +143,24 @@ You'll be redirected to Keycloak to sign in, then back to the Verify service: You can see user claims from Keycloak in the JWT payload, confirming that Pomerium has authenticated and authorized your request. +### Directory Sync (Enterprise) + +## Setting Up Directory Sync + +### Configure Client Credentials + +To allow the client credentials configured above to be used for directory sync, under **Capability config**, turn on "Service accounts roles". + +![Capability config](./img/keycloak/keycloak-sync-capability-config.png) + +Then under the **Service accounts roles** tab, add the `view-users` and `view-groups` roles. + +![Service accounts roles](./img/keycloak/keycloak-sync-service-accounts-roles.png) + +### Configure Pomerium Enterprise Console + +Under **Settings → Identity Providers**, select "Keycloak" as the identity provider and set the Client ID, Client Secret, Realm and URL. + ## Additional Resources - [Identity Provider Settings](/docs/reference/identity-provider-settings)