Keycloak is an identity and access management system providing a trusted way for an application to authenticate a user via different authentications protocols.

1 Configuration for the old UI

To enable integration for Gentics CMS add the following code to a file in to your /Node/etc/conf.d/:



 * mapKeycloakGroups receives all user attributes and
 * has to return the ID of the user group in which
 * newly created users should reside
 * @param $attributes array of user attributes
 * @retun array of groups for the user
function mapKeycloakGroups($attributes)
    if (in_array('admin-user-role', $attributes['realm_access']['roles'])) {
        return array('3');

    return array('4');

function keycloakUserCreatedCallback($userId, $login, $attributes)
    // Perform custom actions after creating a user.

$KEYCLOAK = array(
    // Fields from keycloak.json START
    'authServerUrl' => 'http://YOUR_KEYCLOAK_INSTANCE:8081/auth',
    'realm' => 'YOUR_REALM',
    'clientId' => 'YOUR_CLIENT',
    'clientSecret' => 'THE_CLIENT_SECRET',
    'redirectUri' => 'http://YOUR_CMS_INSTANCE/.Node/?do=100',
    // Fields form keycloak.json END

    'groupMapper' => 'mapKeycloakGroups',

    // The userCreatedCallback is optional.
    'userCreatedCallback' => 'keycloakUserCreatedCallback'

The group mapper function must return an array containing all group IDs a newly created user should be a member of.

2 Configuration for the Editor/Administration User Interface

If you are using the new UI, you will also have to make sure the REST-API is configured to use the Keycloak servlet filter.

Except for the groupMapper and userCreatedCallback entries, the configuration entries correspond exactly to the respective fields in the keycloak.json you can generate in the Keycloak admin front-end, and you should put all the entries here even when they are not listed in the example above.

2.1 Using an Identity Provider

When using an identity provider the following two settings in the advanced OpenID Connect settings are important to prevent unwanted redirect behavior:

  1. “Prompt”: Set to “Select account”
  2. “Accepts prompt=none forward from client”: Set to “Off”

Keycloak - Identity Provider configuration

2.2 Circumvent Single Sign-on

It can usefull to not use the single sign process although it is enabled. The single sign on process will be skipped and users will be forwarded to the login form when the url parameter skip-sso is present. Example: https://yourcmshost.tld/editor/?skip-sso

2.3 Single Sign Out

By activating the feature


  $FEATURE["keycloak_signout"] = true;

users will automatically be logged out from Keycloak, if they log out from the CMS using the Editor User Interface or Administration User Interface.