Overview
This guide assumes Keycloak 20+ and Redmine with SSO Suite Community installed. For a quick local stack, use the RedmineShop demo compose file (Redmine on port
8090, Keycloak on 8190).1. Create or select a realm
- Log in to Keycloak Admin Console
- Create realm e.g.
redmineshopor use an existing corporate realm
2. Create the OIDC client
- Clients → Create client
- Client type: OpenID Connect
- Client ID: e.g.
redmine-oidc - Enable Client authentication (confidential client) unless you rely on PKCE-only public client
- Valid redirect URI:
https://YOUR-REDMINE/sso/oauth/callback - Web origins: your Redmine base URL (or
+for dev)
3. Copy credentials
- Issuer URL:
https://keycloak.example.com/realms/your-realm - Client ID and Client secret from the Credentials tab
4. Configure Redmine plugin
Administration → Plugins → Redmine SSO Suite → Configure:
| Setting | Example |
|---|---|
| Issuer URL (server-side) | http://keycloak:8080/realms/redmineshop (Docker internal) |
| Public issuer URL | https://auth.example.com/realms/redmineshop (browser) |
| Client ID / secret | From Keycloak client |
| Scopes | openid profile email |
5. User and claim mapping
Default claim mapping works for Keycloak:
- Email →
email - Login →
preferred_username - First / last name →
given_name/family_name
Email verification
Ensure users have email verified in Keycloak when matching existing Redmine accounts by email.
6. Test
- Create a test user in Keycloak
- Incognito → Redmine login → Sign in with SSO
- Confirm JIT user appears under Administration → Users
Common issues
- Redirect URI mismatch — must exactly match
/sso/oauth/callbackincluding scheme and port - Issuer mismatch in Docker — set both server and public issuer URLs (troubleshooting article)
- Invalid state — session/cookie issue or multiple Redmine hosts (troubleshooting article)
https://YOUR-REDMINE-HOST/sso/oauth/callback