# SSO Login Setup With Single Sign-On (SSO), a user can log in to multiple related services with a single username and password. For example, log in to a corporate portal and simultaneously get access to Kinescope. This simplifies access management and improves security. ## Who this article is for * **Corporate system administrators** — need to integrate Kinescope with an existing authentication system * **IT specialists** — need to configure SSO via Keycloak or AD FS * **Corporate account owners** — need to simplify employee access management * **Integration developers** — need to set up single sign-on for users ## Creating and configuring a client in Keycloak 1. To create a client in a new realm, go to **"Clients"** and click **"Create client"**. ![Creating a client in Keycloak](images/int-sso-client-01.webp) 2. Enter the client id (**"Client ID"**). ![Entering Client ID in Keycloak](images/int-sso-client-02.webp) 3. Click **"Next"**, select **"Standard flow"**, and enable **"Client authentication"**. ![Configuring the authentication flow in Keycloak](images/int-sso-flow-01.webp) 4. In the **"Valid redirect URLs"** field, enter `https://app.kinescope.io/api/oauth2/callback/sso` and click **"Save"** to save the client. ![Configuring redirect URL in Keycloak](images/int-sso-redirect-01.webp) 5. To create a client role, click **"Clients"** and select a client by ID or name from the list. ![Selecting a client in Keycloak](images/int-sso-client-03.webp) 6. Go to the **"Roles"** tab and create the required role for the Kinescope user via **"Create role"**. For example, **"kinescope-manager"**. ![Creating a role in Keycloak](images/int-sso-role-01.webp) > **Информация:** Use the following role names for correct configuration: * *kinescope-admin* * *kinescope-editor_plus* * *kinescope-editor* * *kinescope-manager* * *kinescope-accountant* * *kinescope-viewer* __Roles are listed in priority order. If multiple roles are passed, the user will be assigned the role with the lowest priority.__ Learn more about Kinescope user roles and their capabilities in the article [Managing team access rights](https://docs.kinescope.com/team-management/team-access-rights/#roles-in-kinescope). 7. Next, link the **"kinescope-manager"** role to the role in the connected system. From the **"Roles"** tab, click the created role to go to its details (**"Role details"**). In the **"Associated roles"** tab, click **"Assign role"**. ![Linking a role in Keycloak](images/int-sso-role-02.webp) 8. Filter the list by clients and select the desired role in **"Associated roles"**. Click **"Assign"** to confirm the link. ![Selecting an associated role in Keycloak](images/int-sso-role-03.webp) Users with the selected role in the system will now be created in Kinescope with the "kinescope-manager" role. 9. To complete setup, provide Kinescope support with the parameters: client_id, client_secret, and provider_url in the format https://{{keycloak-domain}}/realms/{{some_realm}} ![Client parameters in Keycloak](images/int-sso-params-01.webp) ![Client list in Keycloak](images/int-sso-list-01.webp) If you encounter an error during setup or need consultation — the support chat within the Kinescope interface. ## **Setting up AD FS for Kinescope** ### **Step 1: Creating an Application Group** ![Creating an Application Group in AD FS](images/int-sso-adfs-01.webp) 1. Open the AD FS management console 2. In "Application Groups", select "Add Application Group..." 3. In the **Name** field, enter a group name (e.g., "Kinescope") 4. In the **Description** field, add a description (optional) 5. In the **Template** section, select **"Server application accessing a web API"** from the Client-Server applications list 6. Click **Next** to continue ### **Step 2: Configuring Server Application** ![Configuring Server Application in AD FS](images/int-sso-adfs-02.webp) 1. **Name** will auto-fill as "Kinescope - Server application" 2. **Client Identifier** will be generated automatically (e.g., "123456789qwertyuiop") 3. In the **Redirect URI** field, add the callback URL: https://app.kinescope.io/api/oauth2/callback/sso 4. Click **Add** to add the URI to the list 5. Click **Next** to continue ### **Step 3: Configuring credentials** ![Configuring credentials in AD FS](images/int-sso-adfs-03.webp) 1. Check the **"Generate a shared secret"** checkbox 2. The system will automatically generate a secret key (e.g., "WuxzhQ3yW1lsp_MbxY6M1KA1qbp81WvDNzieN") **Important:** Click the **"Copy to clipboard"** button to copy the secret. Save this secret in a secure place — you'll need it to configure the integration. 3. Click **Next** ### **Step 4: Configuring Web API** ![Configuring Web API in AD FS](images/int-sso-adfs-04.webp) 1. **Name** will auto-fill as "Kinescope - Web API" 2. In the **Identifier** field, add the identifier (from step 2 - "123456789qwertyuiop") 3. Click **Add** to add the identifier to the list 4. Click **Next** ### **Step 5: Configuring permissions (Client Permissions)** ![Configuring permissions in AD FS](images/int-sso-adfs-05.webp) 1. In the **Applications** table you'll see: 2. * Server application (Ext_Kinescope - Server application) * Web API (Ext_Kinescope - Web API) 3. Select **Web API** from the list 4. Go to the **Client Permissions** tab ### **Step 6: Configuring permitted scopes** ![Configuring permitted scopes in AD FS](images/int-sso-adfs-06.webp) 1. The **Client Permissions** tab shows current permissions 2. In **Permitted scopes**, checkboxes are set for required permissions: 3. * ✓ allatclaims * ✓ aza * ✓ email * ✓ openid * ✓ profile 4. To add new permissions, click **Add Rule...** ### **Step 7: Configuring Issuance Transform Rules** ![Configuring Issuance Transform Rules in AD FS](images/int-sso-adfs-07.webp) 1. Go to the **Issuance Transform Rules** tab 2. The list shows existing rules: * Claims * Kinescope_manager (Role) * Kinescope_admin (Role) * Kinescope_viewer (Role) 3. To add a new rule, click **Add Rule...** 4. In the "Edit Rule - Claims" window that opens: * **Claim rule name**: enter "Claims" * **Rule template**: select "Send LDAP Attributes as Claims" * **Attribute store**: select "Active Directory" * Configure LDAP attribute mapping to outgoing claim types: * * E-Mail-Addresses → E-Mail Address * Display-Name → Name ### **Step 8: Adding a rule for the manager role** ![Adding a rule for the manager role in AD FS](images/int-sso-adfs-08.webp) 1. Click **Add Rule...** on the Issuance Transform Rules tab 2. **Claim rule name**: enter "Kinescope_manager" 3. **Rule template**: select "Send Group Membership as a Claim" 4. **User's group**: specify the AD group "PYN\\Kinescope_manager" (use Browse to search) 5. **Outgoing claim type**: select "Role" 6. **Outgoing claim value**: enter "kinescope-manager" 7. Click **OK** to save the rule ## **Step 9: Completing the setup** ![Application Groups list in AD FS after setup](images/int-sso-adfs-09.webp) 1. The Application Groups list shows the created group 2. To make changes, right-click the group and select **"Add Application Group..."** or **"Properties"** 3. Verify that all settings are saved correctly > **Совет:** * Make sure to save the Client Identifier and secret key — they'll be needed to configure SSO in Kinescope * The Redirect URI must exactly match the URL specified in the Kinescope settings * Configure transformation rules for all required roles (viewer, admin, manager) * After completing setup, test the integration with a test user ## What's next? After setting up SSO, we recommend: 1. **[Configure access rights](https://docs.kinescope.com/team-management/team-access-rights/)** — verify that user roles are configured correctly 2. **[Profile and workspace settings](https://docs.kinescope.com/team-management/profile-and-workspace-settings/)** — workspace management 3. **[Organize your media library](https://docs.kinescope.com/catalog-and-video-management/organizing-media-library/)** — create projects and folders to structure content 4. **[Set up content protection](https://docs.kinescope.com/content-protection/)** — restrict video access by domain or password Still have questions? Write to the support chat within the Kinescope interface — our specialists will help!