> ## Documentation Index
> Fetch the complete documentation index at: https://docs.domino.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up Keycloak

[Keycloak](https://www.keycloak.org) is a user authentication service that runs in a pod on your Domino cluster.

Discover how to set up Keycloak, manage user groups, and configure local usernames and passwords.

[Enable user registration](#enable-or-disable-user-registration) via the Keycloak console so users can sign up to join your new Domino installation.

Keycloak offers various authentication methods:

* [Federated authentication through an LDAP Active Directory Provider](/6.3/admin/identity-and-access/authentication/ldap-ad-federation)

* [Brokered authentication through single sign-on (SSO)](/6.3/admin/identity-and-access/authentication/sso/sso-configuration)

## Access Keycloak

To access your Keycloak instance, visit `https://<your-domino-domain>/auth/`.

You must sign in to the Keycloak admin console at least once to initialize the authentication service.

### Retrieve the admin password

Before your first sign-in, you must retrieve the admin password.

If you haven’t already, install [kubectl](https://kubernetes.io/docs/tasks/tools/) and sign in to Kubernetes.

1. Retrieve the administrator password from the `keycloak-http` [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/):

   ```shell theme={null}
   kubectl -n <domino-platform-namespace> get secret keycloak-http -o yaml
   ```

   The following is a sample response:

   ```yaml theme={null}
   apiVersion: v1
   data:
     password: <encrypted-password>
   kind: Secret
   metadata:
     creationTimestamp: 2019-09-09T21:23:15Z
     labels:
       app.kubernetes.io/instance: keycloak
       app.kubernetes.io/managed-by: Tiller
       app.kubernetes.io/name: keycloak
       helm.sh/chart: keycloak-4.14.1-0.10.2
     name: keycloak-http
     namespace: domino
     resourceVersion: "6746"
     selfLink: /api/v1/namespaces/domino/secrets/keycloak-http
     uid: 09009f96-d348-11e9-9ea1-0aa417381fd6
   type: Opaque
   ```

2. Decrypt the password from the response:

   ```shell theme={null}
   echo '<encrypted-password>' | base64 --decode
   ```

3. Use this password to sign in to `https://<your-domino-domain>/auth/` with the username `keycloak`.

Domino automatically configures Keycloak with a realm named `DominoRealm`, to create and manage new users. When you review or change settings for Domino authentication, ensure that you have `DominoRealm` selected.

<img src="https://mintcdn.com/dominodatalab-e871cec4/7EJRUMj_QVU7askl/images/5.9/admin_guide/authentication-authorization/keycloak-realm.png?fit=max&auto=format&n=7EJRUMj_QVU7askl&q=85&s=0f50efcc1fd337b8e062dd950faaa653" alt="Keycloak realm configuration" width="2492" height="996" data-path="images/5.9/admin_guide/authentication-authorization/keycloak-realm.png" />

## Enable or disable user registration

You can enable or disable Domino user registration from the Keycloak admin console. Make sure to enable user registration, so users can join your fresh Domino install.

1. In the Keycloak sidebar menu, click **Realm Settings**.

2. Click the **Login** tab, and toggle **User registration** to **On** or **Off**.

## Local username and password configuration

The simplest option for authentication to Domino is to use local usernames and passwords. When you choose local authentication, Keycloak stores all user data in Postgres.

Set login and email configurations in Keycloak for easy authentication to Domino.

### Login configuration

When using local usernames and passwords, you find important login settings in the **Login** tab of the `DominoRealm` settings page.

<img src="https://mintcdn.com/dominodatalab-e871cec4/7EJRUMj_QVU7askl/images/5.9/admin_guide/authentication-authorization/keycloak-local-login-config.png?fit=max&auto=format&n=7EJRUMj_QVU7askl&q=85&s=8a5aafe208b4eb74b85d7cca3634b3b4" alt="Keycloak login" width="1992" height="1136" data-path="images/5.9/admin_guide/authentication-authorization/keycloak-local-login-config.png" />

<Note>
  **Email as username** is not supported. If you want to use the `Verify Email` option, an SMTP connection must be configured in the **Email** tab.
</Note>

### Email configuration

You can configure Keycloak to be able to send emails, such as for password resets. In the DominoRealm, navigate to **Realm Settings** > **Email**. The form contains fields that map to values provided by an SMTP email service provider or SMTP server.

<Note>
  You can use the email configuration admin page to set SMTP settings for the deployment and Keycloak simultaneously instead of using the Keycloak panel. See [Email configuration](/6.3/admin/configuration/email-configuration) for more info.
</Note>

### User management

Your [first sign-in as administrator](#access-keycloak) automatically configures Keycloak with realms. A realm is the Keycloak equivalent of a tenant. It’s used to manage groups of users. The default Keycloak admin account is in the Master realm. Master realm accounts can view, create, or update accounts in other realms. Domino also automatically configures a realm called *DominoRealm*. DominoRealm accounts are non-admins and have ordinary user privileges.

In the Keycloak sidebar, from the menu, click **DominoRealm**.

<img src="https://mintcdn.com/dominodatalab-e871cec4/7EJRUMj_QVU7askl/images/5.9/admin_guide/authentication-authorization/keycloak-add-realm.png?fit=max&auto=format&n=7EJRUMj_QVU7askl&q=85&s=c9de0c4a97ae2e34cb904b87f45c5016" alt="Keycloak realm admin" width="2480" height="1122" data-path="images/5.9/admin_guide/authentication-authorization/keycloak-add-realm.png" />

## Next steps

* [Federated authentication through an LDAP Active Directory Provider](/6.3/admin/identity-and-access/authentication/ldap-ad-federation)

* [Brokered authentication through single sign-on (SSO)](/6.3/admin/identity-and-access/authentication/sso)

* [Limit concurrent user sessions](/6.3/admin/identity-and-access/authentication/limit-sessions)
