-
Notifications
You must be signed in to change notification settings - Fork 0
Provider Keycloak
Kolin edited this page Jun 13, 2026
·
1 revision
Keycloak supports both OpenID Connect and SAML 2.0.
- Go to your realm → Clients → Create client.
- Set:
- Client type: OpenID Connect
-
Client ID:
jellyfin
- On the next screen enable Client authentication (makes it confidential).
- Set Valid redirect URIs:
https://<your-jellyfin-domain>/sso/OID/redirect/keycloak - Go to Credentials and copy the Client Secret.
| Field | Value |
|---|---|
| Provider Name | keycloak |
| OpenID Endpoint | https://<keycloak-domain>/realms/<realm-name> |
| Client ID | jellyfin |
| Client Secret | from Keycloak credentials tab |
| Role Claim | realm_access.roles |
For client-specific roles instead of realm roles, use:
resource_access.jellyfin.roles
- In Keycloak, go to Realm roles and create roles like
jellyfin-userandjellyfin-admin. - Assign these roles to users or groups.
- In the plugin, set:
-
Roles:
jellyfin-user -
Admin Roles:
jellyfin-admin -
Role Claim:
realm_access.roles
-
Roles:
- Go to your client → Roles and create client-level roles.
- In the plugin set Role Claim to:
resource_access.jellyfin.roles
- Go to your realm → Clients → Create client.
- Set Client type to SAML.
- Set Client ID (Entity ID) to
jellyfin. - Set Valid redirect URIs (ACS URL):
https://<your-jellyfin-domain>/sso/SAML/p/keycloak-saml - Go to Keys and download the Signing certificate.
- Go to SAML capabilities and ensure Sign documents is enabled and Client signature required is disabled.
- Add a Role list mapper under Mappers to include roles in assertions:
- Mapper type:
Role list - SAML Attribute Name:
Role - Single Role Attribute:
false
- Mapper type:
In Keycloak → Realm Settings → Keys, find the RS256 signing key and click Certificate to copy it. Remove headers and newlines for the plugin config.
{
"samlEndpoint": "https://<keycloak-domain>/realms/<realm>/protocol/saml",
"samlClientId": "jellyfin",
"samlCertificate": "<base64-cert>",
"enabled": true,
"enableAuthorization": true,
"roles": ["jellyfin-user"],
"adminRoles": ["jellyfin-admin"]
}Send to: POST /sso/SAML/Add/keycloak-saml
Getting Started
Configuration
Providers
Reference
Development