Skip to main content
All CollectionsApps, Integrations & ImportIntegrations for Single-Sign-On (SSO) & SCIM
Keycloak integration
Keycloak integration
Max Raschke avatar
Written by Max Raschke
Updated over 8 months ago

SSO allows your users to log in with an existing account at one of our supported Identity Providers without having to set a new password in awork. Click on your provider below to navigate to the setup guide.

  1. Supported identity providers

  2. Important notes for the setup

  3. Set up for Keycloak

  4. After the setup

  5. Disable other login options

  6. Log in via SSO on app.awork.com

☝️Note: SSO is only available in the awork Enterprise plan.

SAML 2.0 is not supported by awork, as we have opted for the more modern OpenID-Connect Standard based on OAuth 2.0.

Supported identity providers

The list of supported identity providers includes:

If you can't find your identity provider in this list, please contact us directly, and we will check if we can provide a connection.

Important notes for the setup

  1. Navigate to Settings > Integrations

  2. Open the Integration library and select your provider

  3. Now you need to enter the subdomain, client ID and client secret of the provider in the window. Instructions on how to register awork as an SSO application with your provider can be found below.

The following redirect URLs must be enabled:

https://app.awork.com/enterprise-login
https://app.awork.com/api/v1/accounts/authorize-slack
https://app.awork.com/api/v1/accounts/external/{name of login provider}
https://app.awork.com/api/v1/accounts/msteams/authorize
https://app.awork.com/api/v1/accounts/authorize

For login via web interface, e.g. via https://app.awork.com, you'll need:

https://app.awork.com/enterprise-login

For authorization from Slack you need: 

https://app.awork.com/api/v1/accounts/authorize-slack

For Microsoft Teams authorization you need:

https://app.awork.com/api/v1/accounts/msteams/authorize

For Zapier integrations, you'll need the following redirect URL:

https://app.awork.com/api/v1/accounts/authorize

Below you'll find an overview of specific configurations for your identity provider.

Setup for Keycloak

Please contact our support if you want to set up Keycloak SSO, as this option is not available via the Web Interface yet!

To set up Keycloak SSO via OpenID Connect, you need to follow the following steps:

  1. Login into your Keycloak Admin Console

  2. Go to the Clients

    1. Download this client configuration file: Keycloak awork client configuration

    2. Drag the file into the Resource file field. This pre-fills all the settings you need.

    3. Save the new client

  3. In the Client Details

    1. Go to the Credentials Tab and get the Client secret

  4. Go to the Realms Settings and find the .well-known/openid-configuration URL at the bottom of the General settings called OpenID Endpoint Configuration

    1. This URL typically looks like this: https://{your-keycloak-url}/realms/master/.well-known/openid-configuration

  5. With the Client ID and Secret and the .well-known/openid-configuration URL, please contact our support so we can configure the integration.

☝️ Important: The well-known/openid-configuration URL needs to be available 24/7 to prevent errors while trying to log in via SSO!

After the setup

If the configuration was successful, the SSO sign-in is now available in the login area.

☝️Hint: Rights, users, or groups are currently not controlled via the identity provider. Only the login for existing user accounts is enabled. A user must, therefore, already exist in awork. User matching is done via the user's email address.

Disable other login options

If SSO is configured, it is possible to disable and hide the other login options (email & password as well as social login via Google & Apple). You can set this up in Settings > General.

This is only advisable if no external users, who are not managed via Identity Management, are working in the workspace.

☝️Hint: If you remove the SSO settings in awork, the login with email and password will be automatically enabled again, so you will always be able to log in with your admin account.

Log in via SSO on app.awork.com

To login via SSO using the global login page app.awork.com, select the option Sign in via SSO.

Here you have to enter the subdomain of your workspace first. After entering the subdomain, you will be automatically redirected to the SSO login screen or, if you are already logged in here, directly to your awork dashboard.

If you have disabled the options to login via email & password and/or social login (Google & Apple), they will still be displayed on the global page.

They will just be hidden under the specific workspace page YOUR-WORKSPACE-SUBDOMAIN.awork.com.

However, login will not be possible from the global page either.

Log in via SSO using YOUR-WORKSPACE-SUBDOMAIN.awork.com

If SSO is configured, there is now another selection button Sign in via SSO.

You will now be automatically redirected to the SSO login screen or, if you are already logged in here, directly to your awork dashboard.

Related Articles
Set up Single Sign-On (SSO)
Auth0 integration
Okta integration
OneLogin integration
Microsoft Azure AD integration
Did this answer your question?