Skip to content
Presswerk Docs

SSO & Identity Federation

Presswerk uses Keycloak for authentication. Keycloak supports federating with external identity providers, so your users can sign in with their existing corporate credentials.

Supported Providers

Section titled “Supported Providers”
ProviderProtocolNotes
Microsoft Entra ID (Azure AD)OIDCRecommended for Microsoft environments
Google WorkspaceOIDCVia Google Cloud Identity
OktaOIDC / SAMLBoth protocols supported
Active DirectoryLDAPDirect user sync
LDAP (OpenLDAP, FreeIPA)LDAPDirect user sync
Any OIDC ProviderOIDCStandard OpenID Connect
Any SAML ProviderSAML 2.0Standard SAML federation

Microsoft Entra ID (Azure AD)

Section titled “Microsoft Entra ID (Azure AD)”

1. Register Application in Entra ID

Section titled “1. Register Application in Entra ID”
  1. Go to Azure Portal → Microsoft Entra ID → App registrations → New registration
  2. Name: Presswerk
  3. Redirect URI: https://auth.your-domain.com/realms/presswerk/broker/entra-id/endpoint
  4. Copy the Application (client) ID and Directory (tenant) ID
  5. Go to Certificates & secrets → New client secret, copy the value

2. Configure in Keycloak

Section titled “2. Configure in Keycloak”
  1. Open https://auth.your-domain.com/admin
  2. Select the presswerk realm
  3. Go to Identity Providers → Add Provider → OpenID Connect
  4. Configure:
FieldValue
Aliasentra-id
Display NameMicrosoft
Discovery URLhttps://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration
Client IDYour application ID
Client SecretYour client secret
Default Scopesopenid email profile
  1. Save

3. Configure Attribute Mappers

Section titled “3. Configure Attribute Mappers”

Go to Identity Providers → entra-id → Mappers → Add mapper:

NameMapper TypeClaimUser Attribute
EmailAttribute Importeremailemail
First NameAttribute Importergiven_namefirstName
Last NameAttribute Importerfamily_namelastName

LDAP / Active Directory

Section titled “LDAP / Active Directory”

1. Configure in Keycloak

Section titled “1. Configure in Keycloak”
  1. Go to User Federation → Add Provider → LDAP
  2. Configure:
FieldValue
VendorActive Directory (or Other for OpenLDAP)
Connection URLldap://your-dc.domain.com:389 (or ldaps:// for TLS)
Users DNOU=Users,DC=domain,DC=com
Bind DNCN=svc-presswerk,OU=Service Accounts,DC=domain,DC=com
Bind CredentialService account password
Username LDAP attributesAMAccountName (AD) or uid (LDAP)
UUID LDAP attributeobjectGUID (AD) or entryUUID (LDAP)
Edit ModeREAD_ONLY (recommended)
  1. Click Test connection and Test authentication
  2. Save

2. Group-to-Role Mapping

Section titled “2. Group-to-Role Mapping”

To automatically assign the Presswerk admin role based on AD/LDAP group membership:

  1. In the LDAP provider, go to Mappers → Add mapper
  2. Type: group-ldap-mapper
  3. Configure:
FieldValue
LDAP Groups DNOU=Groups,DC=domain,DC=com
Group Name LDAP Attributecn
Membership LDAP Attributemember
ModeREAD_ONLY
  1. Create a Keycloak group (e.g. presswerk-admins) and assign the admin role to it
  2. Map the LDAP group to the Keycloak group

3. LDAP over TLS

Section titled “3. LDAP over TLS”

For LDAP over TLS (ldaps://), the Keycloak container must trust your internal CA. See TLS & Certificates for configuration.

SAML Federation

Section titled “SAML Federation”
  1. Go to Identity Providers → Add Provider → SAML v2.0
  2. Configure with your IdP’s metadata URL or upload the metadata XML
  3. Set the Service Provider Entity ID to https://auth.your-domain.com/realms/presswerk
  4. Provide the Redirect URI to your IdP: https://auth.your-domain.com/realms/presswerk/broker/{alias}/endpoint

Role Mapping

Section titled “Role Mapping”

Presswerk uses these roles:

RoleDescription
adminTenant administrator — manages users, environments, data sources
(none)Regular user — access controlled by folder permissions

Assign roles via:

  • Keycloak admin console: Users → Role Mappings
  • Group mapping: Assign roles to Keycloak groups, then map IdP groups to Keycloak groups
  • IdP attribute mapping: Map an IdP claim to a Keycloak role