---
title: "Configuring Keycloak as an Identity Provider"
diataxis: how-to
applies_to:
  product: "nirmata-control-hub"
audience: ["platform-engineer"]
last_updated: 2026-03-25
url: https://docs.nirmata.io/docs/control-hub/identity-access/oidc/keycloak/
---


## Prerequisites

Before proceeding, ensure:
- You have admin access to your Keycloak instance.
- Nirmata Control Hub is accessible and you have Admin access.

---

## Step 1: Create a New Realm (Optional)

If you're using Keycloak for multiple applications, it’s recommended to isolate Nirmata authentication:

1. Log in to the Keycloak Admin Console.
2. From the top-left dropdown, click **"Add Realm"**.
3. Name it `nirmata-realm` (or a name of your choice).

---

## Step 2: Register Nirmata as a Client

1. In the Keycloak Admin Console, go to **Clients**.
2. Click **"Create"**.
3. Enter the following details:
   - **Client ID**: `nirmata`
   - **Client Protocol**: `openid-connect`
4. Click **Next**.

### Capability Config:
- Enable **Client Authentication**
- Enable the following flows:
  - Standard Flow
  - Direct Access Grants
  - Implicit Flow

Click **Next**.

### Login Settings:
- **Valid Redirect URIs**:  
  `https://<nirmata-host>/security/api/oidc/callback/*`
- **Valid Post Logout Redirect URIs**:  
  `https://<nirmata-host>/security/api/oidc/logout/*`
- Leave the other fields with default values.

Click **Save**.

### Advanced Settings:
1. Navigate to the **nirmata** client settings.
2. Expand the **Advanced Settings** section.
3. Set **Proof Key for Code Exchange (PKCE) Code Challenge Method** to `S256`.
4. Click **Save**.

---

## Step 3: Retrieve Credentials for Nirmata

To connect Nirmata to Keycloak, note the following:

- **Client ID**: `nirmata`
- **Client Secret**:
  - Go to **Clients > nirmata > Credentials** tab.
  - Copy the **Secret**.

- **Discovery URI** format:  
  `https://<keycloak-host>/realms/<realm-name>/.well-known/openid-configuration`  
  Example:  
  `https://keycloak.example.com/realms/nirmata-realm/.well-known/openid-configuration`

---

## Step 4: Configure in Nirmata Control Hub

1. Log into Nirmata Control Hub as an Admin.
2. Navigate to **Identity & Access > OIDC**.
3. Click **"Add Provider"** and select **OIDC**.
4. Fill in the fields:
   - **Name**: `Keycloak`
   - **Client ID**: `nirmata`
   - **Client Secret**: (paste from step 3)
   - **Discovery URI**: (paste the URI from step 3)
   - **Scopes**: `openid profile email`
5. Click **Save**.

---

## Step 5: Test Authentication

1. In the OIDC configuration page, locate and click the **Initiate Login URL**.
2. You will be redirected to Keycloak's login page.
3. Log in using a user account from the configured realm.
4. Upon successful login, you will be redirected back to Nirmata and authenticated.

If authentication completes successfully, your integration is now complete.