diff --git a/content/docs/integrations/user-identity/img/keycloak/keycloak-sync-capability-config.png b/content/docs/integrations/user-identity/img/keycloak/keycloak-sync-capability-config.png
new file mode 100644
index 000000000..83d940ba2
Binary files /dev/null and b/content/docs/integrations/user-identity/img/keycloak/keycloak-sync-capability-config.png differ
diff --git a/content/docs/integrations/user-identity/img/keycloak/keycloak-sync-service-accounts-roles.png b/content/docs/integrations/user-identity/img/keycloak/keycloak-sync-service-accounts-roles.png
new file mode 100644
index 000000000..3fe51438f
Binary files /dev/null and b/content/docs/integrations/user-identity/img/keycloak/keycloak-sync-service-accounts-roles.png differ
diff --git a/content/docs/integrations/user-identity/keycloak.mdx b/content/docs/integrations/user-identity/keycloak.mdx
index 55057f0af..c93a07d8e 100644
--- a/content/docs/integrations/user-identity/keycloak.mdx
+++ b/content/docs/integrations/user-identity/keycloak.mdx
@@ -143,6 +143,24 @@ You'll be redirected to Keycloak to sign in, then back to the Verify service:
 
 You can see user claims from Keycloak in the JWT payload, confirming that Pomerium has authenticated and authorized your request.
 
+### Directory Sync (Enterprise)
+
+## Setting Up Directory Sync
+
+### Configure Client Credentials
+
+To allow the client credentials configured above to be used for directory sync, under **Capability config**, turn on "Service accounts roles".
+
+![Capability config](./img/keycloak/keycloak-sync-capability-config.png)
+
+Then under the **Service accounts roles** tab, add the `view-users` and `view-groups` roles.
+
+![Service accounts roles](./img/keycloak/keycloak-sync-service-accounts-roles.png)
+
+### Configure Pomerium Enterprise Console
+
+Under **Settings → Identity Providers**, select "Keycloak" as the identity provider and set the Client ID, Client Secret, Realm and URL.
+
 ## Additional Resources
 
 - [Identity Provider Settings](/docs/reference/identity-provider-settings)