Set up Keycloak OIDC for Redmine

Create a realm client, configure redirect URIs, and map claims for JIT provisioning.

1. Create or select a realm

  1. Log in to Keycloak Admin Console
  2. Create realm e.g. redmineshop or use an existing corporate realm

2. Create the OIDC client

  1. Clients → Create client
  2. Client type: OpenID Connect
  3. Client ID: e.g. redmine-oidc
  4. Enable Client authentication (confidential client) unless you rely on PKCE-only public client
  5. Valid redirect URI: https://YOUR-REDMINE/sso/oauth/callback
  6. Web origins: your Redmine base URL (or + for dev)

3. Copy credentials

  • Issuer URL: https://keycloak.example.com/realms/your-realm
  • Client ID and Client secret from the Credentials tab

4. Configure Redmine plugin

Administration → Plugins → Redmine SSO Suite → Configure:

SettingExample
Issuer URL (server-side)http://keycloak:8080/realms/redmineshop (Docker internal)
Public issuer URLhttps://auth.example.com/realms/redmineshop (browser)
Client ID / secretFrom Keycloak client
Scopesopenid profile email

5. User and claim mapping

Default claim mapping works for Keycloak:

  • Email → email
  • Login → preferred_username
  • First / last name → given_name / family_name

6. Test

  1. Create a test user in Keycloak
  2. Incognito → Redmine login → Sign in with SSO
  3. Confirm JIT user appears under Administration → Users

Common issues

  • Redirect URI mismatch — must exactly match /sso/oauth/callback including scheme and port
  • Issuer mismatch in Docker — set both server and public issuer URLs (troubleshooting article)
  • Invalid state — session/cookie issue or multiple Redmine hosts (troubleshooting article)
Redirect URI template
https://YOUR-REDMINE-HOST/sso/oauth/callback