Enterprise SSO with Keycloak

Mission statement

We at codecentric are software developers and consultants. As we use Keycloak as our primary authentication tool, it was obvious to integrate Jira and Confluence authentication with Keycloak Single-Sign-On as well.

The existing plugins on the marketplace did not cover our needs, so our great team has decided to build our own plugins, based on the OpenID Connect protocol.

Key features

  • Single-Sign-On via any OpenID Connect provider

  • Mandatory or optional SSO, i.e. users can choose to use your SSO provider or Confluence/Jira local login

  • Single-Sign-Out

  • OpenID Connect client verification (confidential client access)

  • OpenID Connect server signature verification (RSA-512 key verification)

  • Support for group synchronization with Keycloak (the Jira, Confluence and Bitbucket groups can be set according to Keycloak role mappings)

  • Support for the creation of new users with Keycloak (new users can be created locally in Jira/Confluence/Bitbucket on first login)

Setup & Installation

To set up the plugin you have to create a client in the OpenID Connect provider and configure the plugin to connect to the provider. For how to set up Keycloak see OpenID Connect Client Creation in Keycloak and Setup & Configuration, respectively. To use the advanced group synchronization and user creation features see User Creation & Group Management. For common problems and their solutions see Troubleshooting.

Other OpenID Connect provider may be used, too. For how to set up the plugin with Microsoft Azure see here. Instructions on how to use the plugin with the Google Identity Platform see here.

Quick Navigation


Useful Links






Keycloak is an open source identity and access management solution aimed at modern applications and services. It makes it easy to secure applications and services with little to no code.


OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol, which allows computing clients to verify the identity of an end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner. In technical terms, OpenID Connect specifies a RESTful HTTPAPI, using JSON as a data format.


Single-Sign-On (SSO) is a property of access control of multiple related, yet independent, software systems.