IDPs Installation

To enable IDPs (Identity Providers) on your Daytona installation, we utilize an open-source identity and access management application Keycloak to add multiple identity providers. It will allow you to sign into your Daytona dashboard via different IDPs, create workspaces from different Git providers, manage access scope, permissions, sessions, and events. Also, monitor and manage users within your organization with Daytona.

In this guide, we will guide you through how to add, manage, configure, and disable different IDPs via Keycloak.

Prerequisites

You will need to fulfill the following prerequisites to configure and manage identity providers for your Daytona installation.

Daytona Installation

To install Daytona on your infrastructure, you can download Daytona from this link. At the end of your Daytona installation, you will have a URL to access your Daytona dashboard.
When you are signing into Keycloak via the Adminstration Console, you will be asked for username or email and password. You can only obtain this information during your Daytona installation.

Keycloak URL
A registered account from one of the supported IDPs

Supported identity providers includes Github, Gitlab, BitBucket, Github Enterprise Server, Gitlab On-Premise, BitBucket server, Google, Microsoft and many more.

Github

In this section, we will guide you to configure Github as an identity provider for your Daytona Installation. This guide is only suitable if you didn’t use Github as an identity provider during the initial Daytona installation stage.

Configure Github in Keycloak

Log into Keycloak

Open https://id.domain.com and click on Administration Console on the front page
Sign in with the credentials you obtained from installation (if you have everything from the prerequisites, you should have it by now).

Default realm

After you sign in, make sure you are on the default realm.
If you are not on the default realm (the home page shows scattered information with Server info with the title master realm), you can select default under the dropdown menu on the top left side of the home page.

Configure GitHub as an identity provider

Under the default realm, click on Identity Providers under the Configure section on the left sidebar.
Then click on github. On the next page, copy the Redirect URI and note it down, as we will need it later. Don’t close this tab.

Go to Developer Settings

Open Github in your browser, on the top right side of this page, click on your profile picture. Under the dropdown window, select Settings (at the bottom). Select Developer settings on the left sidebar.

Create OAuth Apps

Select the OAuth Apps on the left sidebar. Then click on New OAuth App on the top right side.

Required inputs for GitHub OAuth

For the application name, you can name it as easily recognizable for yourself and distinguish it from your other applications (recommend using deployed domain).
The Homepage URL would be the URL to your Daytona dashboard.
The Authorization callback URL is the URL you have copied from step 2, Redirect URI. You don’t need to toggle Enable Device Flow here. Then click on Register application.

Copy Client ID and secrets

Under your application, click on the Generate a new client secret in the Client secrets section.
Copy the credentials under Client ID and paste it into your Keycloak Provider details page in the Client ID section.
Go back to the Github OAuth Application page, copy the credentials under the Client secrets section, and then paste it into Client Secret on your Keycloak Provider details page.

Advance Settings on Keycloak

On Keycloak’s Provider details page, copy and paste the following text into the field Scopes under the Advanced settings:

read:user user:email repo

These three scopes will allow users to sign in via email, read GitHub users’ information, and access signed-in users’ repositories to gain read, write, and admin rights.

Toggle the fields Store tokens and Trust Email to turn them on. You can compare your information to the table below to make sure the details are correctly configured.

If you want to type in scopes by yourself, remember to use Space ␣ to separate different scopes and not comma ,.

Save and enable GitHub

After inputting all the information, click on Save at the bottom of Keycloak’s Provider details page, then toggle Disabled on the top right side of the page to change it to Enabled.

Github and Keycloak configuration details

Github VS. Keycloak Github OAuth App Keycloak Provider Details

URL Authorization callback URL Redirect URI

ID Client ID Client ID

Secrets Client secrets Client Secret

Scopes No extra configuration required read:user user:email repo

Github VS. Keycloak	Github OAuth App	Keycloak Provider Details
URL	Authorization callback URL	Redirect URI
ID	Client ID	Client ID
Secrets	Client secrets	Client Secret
Scopes	No extra configuration required	`read:user user:email repo`

Keycloak Advance Settings	Details
Store tokens	On
Accepts prompt=none forward from client	Off
Disable user info	Off
Trust Email	On
Hide on login page	Off
Verify essential claim	Off
First login flow (dropdown)	first broker login
Post login flow	None
Sync mode	Import

Keycloak Advance Settings

Details

Store tokens

Accepts prompt=none forward from client

Off

Disable user info

Off

Trust Email

Hide on login page

Off

Verify essential claim

Off

First login flow (dropdown)

first broker login

Post login flow

None

Sync mode

Import

Confirm Github is working

To confirm Github is working properly with Daytona, refer to the Git Provider section to see if you can create a workspace based on the repository in Github.
If you open your Daytona dashboard URL, you should see the button Github on the sign-in page. If not, scan through the table above and confirm if all the input information is correct.

GitLab

If you choose another identity provider during the installation stage, you can still configure GitLab as an add-on identity provider. In this section, we will explain how you can do so. You will need to have a GitLab account.

Configure GitLab in Keycloak

Log into GitLab

Sign into Gitlab via this link. After signing in, click on your profile picture on the top of the left sidebar. Under the dropdown menu, select Preferences.

Create OAuth application

Click on Applications on the left sidebar. Then click on Add new application.

Default realm

Log into your Keycloak’s Administration with credentials you obtained from the prerequisites section. After you sign in, make sure you are on the default realm.
You should see the homepage show Welcome to default at the center of the screen. If not (the homepage shows scattered information with Server info with the title master realm), you can select default under the dropdown menu on the top left side of the homepage.

Configure GitLab as identity providers

Click on Identity Providers under the Configure section on the left sidebar.
Then click on gitlab.
On the next page copy the Redirect URI. Don’t close this tab.

GitLab application configuration

Go back to GitLab (you should be on the page Add new application).
The Name of your application should be recognizable to yourself.
The field Redirect URI is the Redirect URI you have copied from the last step.
Toggle the Confidential under the Redirect URI field.
Under the scope, toggle api, read_api, read_user, read_repository, openid, write_repository, profile, and email. Then click on Save application. If you are unsure about the settings under Scope in GitLab, you can refer to the table below to make sure the settings are correct.

Copy Application ID and Secret

Copy the Application ID and paste it into your Keycloak’s Provider details page in the Client ID field
Then copy the Secret field and paste it into the Client Secret field.
Click on Continue on GitLab’s application page.

Configure Keycloak

Navigate back to Keycloak’s Provider details page for GitLab (at this stage you have filled in Client ID and Client Secret), copy the following value into the Scopes field under the Advanced settings section:

profile email read_user write_repository read_repository openid api read_api

These scopes will allow your Daytona installation to access the signed-in user’s profile, email, and respective repository(allow Daytona to create workspace), use OpenID to authenticate users during sign-in, read and access GitLab’s API to work with workspaces.

Toggle the fields Store tokens and Trust Email to turn them on. You can compare your information to the table below to make sure the details are correctly configured.

If you want to type in scopes by yourself, remember to use Space ␣ to separate different scopes instead of a comma ,.

Enable GitLab

After finishing the above steps, on Keycloak, click Save at the bottom of the page (on Keycloak), and then enable the identity provider (toggle the Disabled switch on the top right side of the page to Enabled).

Gitlab and Keycloak configuration details

Gitlab VS. Keycloak Gitlab Application Keycloak Provider Details

URL Callback URL Redirect URI

ID Application ID Client ID

Secrets Secret Client Secret

Scopes

Gitlab VS. Keycloak	Gitlab Application	Keycloak Provider Details
URL	Callback URL	Redirect URI
ID	Application ID	Client ID
Secrets	Secret	Client Secret
Scopes	api read_api read_user read_repository write_repository openid profile email	`profile email read_user write_repository read_repository openid api read_api`

api
read_api
read_user
read_repository
write_repository
openid
profile
email

profile email read_user write_repository read_repository openid api read_api

Keycloak Advance Settings	Details
Store tokens	On
Accepts prompt=none forward from client	Off
Disable user info	Off
Trust Email	On
Hide on login page	Off
Verify essential claim	Off
First login flow (dropdown)	first broker login
Post login flow	None
Sync mode	Import

Keycloak Advance Settings

Details

Store tokens

Accepts prompt=none forward from client

Off

Disable user info

Off

Trust Email

Hide on login page

Off

Verify essential claim

Off

First login flow (dropdown)

first broker login

Post login flow

None

Sync mode

Import

Confirm GitLab is working

You can refer to the Git Provider section to see if you can create a workspace based on the repository in GitLab to confirm GitLab is working properly with Daytona.

BitBucket

In this section, we will guide you through how to configure BitBucket as your add-on identity provider if you haven’t done so during the installation process. You will need a registered account and a workspace connected to that account on BitBucket.

Configure BitBucket in Keycloak

Create OAuth Consumer on BitBucket

You can sign into BitBucket with this link. After you sign in, click on the settings button on the top right, then in the dropdown menu select Workspace settings.
Scroll down and find APPS AND FEATURES section in the left sidebar. Under this section, click on OAuth consumers and then click on Add consumer on this page.

Default realm in Keycloak

Open https://id.domain.com and click on Administration Console on the front page, then sign in with the credentials you obtained from your installation.
After you sign in, make sure you are on the default realm.
You should see the homepage show Welcome to default at the center of the screen. If not (the home page shows scattered information with Server info with the title master realm), you can select default under the dropdown menu on the top left side of the home page.

Configure bitbucket as identity providers

Click on Identity Providers under the Configure section on the left sidebar
Then click on bitbucket.
Copy the Redirect URI and note it down, as we will need it later. Don’t close this tab.

Configure OAuth consumer

Navigate back to BitBucket, on the Add OAuth consumer page, give your application a distinguishable name in the Name field (required, something like daytona-domain-name)
Paste the Redirect URI from the previous step into the Callback URL field.
The URL field will be your Daytona dashboard URL.
You can leave the Privacy policy URL and End user license agreement URL empty. Make sure not to toggle This is a private consumer. Your configuration will fail if you enable this.

Permissions scopes in BitBucket

Under the Permissions section on the same page, tick the permission scope:

Account: Email, Read

Workspace membership: Read, Write

Projects: Read, Write, Admin

Repositories: Read, Write, Admin

Pull requests: Read

Then click Save at the bottom.
If you are unsure about the settings under Permissions in BitBucket, you can refer to the table below to make sure the settings are correct.

Copy Key and Secret

After clicking on Save, you will be sent back to the OAuth consumers page in BitBucket. Click on the application name you just created on BitBucket’s Workspace settings/OAuth consumers page.
Copy the value after Key on BitBucket and paste it into Keycloak’s Client ID field.
Copy the value after Secret on BitBucket and paste it into Keycloak’s Client Secret field.

Configure Keycloak

Under the Advance settings section, copy and paste the following value into the field Scope:

email account repository:write project

These permission scopes will allow us to access authenticated users’ email, account details, and project-related information and gain write access to repositories to create a workspace.

Enable BitBucket

After finishing the above steps, on Keycloak, click Save at the bottom, and then Enabled the identity provider (toggle the Disabled switch on the top right side on the page).

Confirm BitBucket is working

After you finish all the configuration, you can refer to the BitBucket section in Git Providers guide and visit your Daytona dashboard to confirm the configuration is correct and working properly.

BitBucket and Keycloak configuration details

BitBucket VS. Keycloak BitBucket OAuth Consumer Keycloak Provider Details

URL Callback URL Redirect URI

ID Key Client ID

Secrets Secret Client Secret

Permission scope

BitBucket VS. Keycloak	BitBucket OAuth Consumer	Keycloak Provider Details
URL	Callback URL	Redirect URI
ID	Key	Client ID
Secrets	Secret	Client Secret
Permission scope	Account Email Read Write Workspace membership Read Write Projects Read Write Admin Repositories Read Write Admin Delete Pull requests Read Write Issues Read Write Wikis Read and write Snippets Read Write Webhooks Read and write Pipelines Read Write Edit variables Runners Read Write	`email account repository:write project`

Account
- Email
- Read
- Write
Workspace membership
- Read
- Write
Projects
- Read
- Write
- Admin
Repositories
- Read
- Write
- Admin
- Delete
Pull requests
- Read
- Write
Issues
- Read
- Write
Wikis
- Read and write
Snippets
- Read
- Write
Webhooks
- Read and write
Pipelines
- Read
- Write
- Edit variables
Runners
- Read
- Write

email account repository:write project

Keycloak Advance Settings	Details
Store tokens	On
Accepts prompt=none forward from client	Off
Disable user info	Off
Trust Email	On
Hide on login page	Off
Verify essential claim	Off
First login flow (dropdown)	first broker login
Post login flow	None
Sync mode	Import

Keycloak Advance Settings

Details

Store tokens

Accepts prompt=none forward from client

Off

Disable user info

Off

Trust Email

Hide on login page

Off

Verify essential claim

Off

First login flow (dropdown)

first broker login

Post login flow

None

Sync mode

Import

These permissions will allow Daytona to authenticate users, access users’ workspace membership, find team members, and access users’ repositories to create workspaces.

Github Enterprise

This section will illustrate how to configure Github Enterprise as an identity provider for your Daytona installation. You will need an active deployment of Github Enterprise version and a registered account.

Configure Github Enterprise in Keycloak

Create OAuth Application on Github Enterprise

Open your Github Enterprise domain URL in the browser and log in, click on your profile picture on the top right side of the page.
Under the dropdown menu, select Settings.
Scroll down and find Developer settings on the left sidebar, click on OAuth Apps on the left and then New OAuth App on the top right side of the page. Don’t close this tab.

Log into default realm in Keycloak

Open https://id.domain.com and click on Administration Console on the front page, then sign in with the credentials you obtained from your installation.
After you sign in, make sure you are on the default realm.
You should see the homepage show Welcome to default at the center of the screen. If not (the home page shows scattered information with Server info with the title master realm), you can select default under the dropdown menu on the top left side of the home page.

Configure bitbucket as identity providers

Click on Identity Providers under the Configure section on the left sidebar
Then click on bitbucket.
Copy the Redirect URI and note it down, as we will need it later. Don’t close this tab.

Configure OAuth application on Github Enterprise

Go back to Github Enterprise, on the Register a new OAuth application page, fill in the following information:
The Application name would be something recognizable to yourself. Recommend using your domain name.
The Homepage URL would be your Daytona dashboard URL.
The Authorization callback URL is the Redirect URI you have copied from the previous step.
You don’t need to toggle Enable Device Flow here. Then click on Register application.

Copy Client ID and secrets

Under your application, click on the Generate a new client secret in the Client secrets section.
Copy the credentials under Client ID and paste it into your Keycloak Provider details page in the Client ID section.
Go back to the Github Enterprise OAuth Application page, copy the credentials under the Client secrets section, and then paste it into Client Secret on your Keycloak.
! important: At the Base URL input field in Keycloak, paste your Github Enterprise URL (the dashboard URL where it is deployed, no trailing slash at the end).

Configure scopes in Keycloak

Under the Advance settings section, copy and paste the following value into the field Scope:

read:user user:email repo

These permission scopes will allow us to access authenticated users’ email, account details, and access signed-in users’ repositories to gain read, write, and admin rights.

Toggle the fields Store tokens and Trust Email to turn them on. You can compare your information to the table below to make sure the details are correctly configured.

If you want to type in scopes by yourself, remember to use Space ␣ to separate different scopes instead of a comma ,.

Enable Github Enterprise

After finishing the above steps, on Keycloak, click Save at the bottom of the page (on Keycloak), and then enable the identity provider (toggle the Disabled switch on the top right side on the page).

Github Enterprise and Keycloak configuration details

Github Enterprise VS. Keycloak Github OAuth App Keycloak Provider Details

URL Authorization callback URL Redirect URI

ID Client ID Client ID

Secrets Client secrets Client Secret

Scopes No extra configuration required read:user user:email repo

Github Enterprise VS. Keycloak	Github OAuth App	Keycloak Provider Details
URL	Authorization callback URL	Redirect URI
ID	Client ID	Client ID
Secrets	Client secrets	Client Secret
Scopes	No extra configuration required	`read:user user:email repo`

Keycloak Settings	Details
Base URL	Github Enterprise deployment URL
Store tokens	On
Accepts prompt=none forward from client	Off
Disable user info	Off
Trust Email	On
Hide on login page	Off
Verify essential claim	Off
First login flow (dropdown)	first broker login
Post login flow	None
Sync mode	Import

Keycloak Settings

Details

Base URL

Github Enterprise deployment URL

Store tokens

Accepts prompt=none forward from client

Off

Disable user info

Off

Trust Email

Hide on login page

Off

Verify essential claim

Off

First login flow (dropdown)

first broker login

Post login flow

None

Sync mode

Import

Confirm Github Enterprise is working

To confirm Github Enterprise is working properly with Daytona, refer to the Git Provider section to see if you can create a workspace based on the repository in Github Enterprise.

BitBucket Server

If you or your organization deployed BitBucket Server as your Git provider and want to use it as an identity provider for your Daytona installation, you can follow the steps below to configure it. To complete this guide, you will need an active deployment of BitBucket Server and a registered account on your BitBucket Server.

Configure BitBucket Server in Keycloak

Log into default realm in Keycloack

Log into your Keycloak’s Administration with credentials you obtained from the prerequisites section.
After you sign in, make sure you are on the default realm. You should see the homepage show Welcome to default at the center of the screen.
If not (the homepage shows scattered information with Server info with the title master realm), you can select default under the dropdown menu on the top left side of the homepage.

Obtain redirect URL

Under the default realm, click on Identity Providers under the Configure section on the left sidebar.
Then click on bitbucket-server (should be labeled with disabled at the moment).
On the next page, Provider details, copy the Redirect URI and note it down, as we will need it later. Don’t close this tab.

Create OAuth application

Open your BitBucket Server dashboard in the browser. On the top right side of the page, click on the settings button (with a gear icon).
Then click on Application Links under the SYSTEM section on the left sidebar (under Application Navigator).
Click on Create link on the top right side of the Application links page.
Select External application under Application type.
Under the Direction section, select Incoming.
Then click on Continue.

Configure application in BitBucket Server

For the application name, we recommend using your Daytona deploy domain for easy recognition.
Under Application details, paste the Redirect URI you have copied from the previous step (from the Keycloak dashboard) into the Redirect URL field.
Under Application permission, select Read and Write under Repositories.
Then click on Save at the bottom.

Configure Keycloak

Copy and paste the Client ID from BitBucket into the Client ID field on Keycloak’s Provider details page.
Copy and paste the Client secret into the Client Secret field on Keycloak.
! important: At the Base URL input field in Keycloak, paste your BitBucket Server URL (the dashboard URL where it is deployed, no trailing slash at the end).

Configure scopes in Keycloak

Under the Advance settings section, copy and paste the following value into the field Scope:

PUBLIC_REPOS REPO_READ REPO_WRITE

If you are unsure about the settings under Advance settings in Keycloak, you can refer to the table below to make sure the settings are correct. These permission scopes will allow us to access authenticated users’ repositories to create a workspace (without destructive behavior).

Enable BitBucket Server

After finishing the above steps, on Keycloak, click Save at the bottom, and then enable the identity provider (toggle the Disabled switch on the top right side of the page to Enabled).

BitBucket server and Keycloak configuration details

BitBucket Server VS. Keycloak BitBucket Server Keycloak Provider Details

URL Redirect URL Redirect URI

ID Client ID Client ID

Secrets Client secret Client Secret

Scopes

BitBucket Server VS. Keycloak	BitBucket Server	Keycloak Provider Details
URL	Redirect URL	Redirect URI
ID	Client ID	Client ID
Secrets	Client secret	Client Secret
Scopes	Repositories Read Write Admin	`PUBLIC_REPOS REPO_READ REPO_WRITE`

Repositories
Read
Write
Admin

PUBLIC_REPOS REPO_READ REPO_WRITE

Keycloak Advance Settings	Details
Store tokens	On
Accepts prompt=none forward from client	Off
Disable user info	Off
Trust Email	On
Hide on login page	Off
Verify essential claim	Off
First login flow (dropdown)	first broker login
Post login flow	None
Sync mode	Import

Keycloak Advance Settings

Details

Store tokens

Accepts prompt=none forward from client

Off

Disable user info

Off

Trust Email

Hide on login page

Off

Verify essential claim

Off

First login flow (dropdown)

first broker login

Post login flow

None

Sync mode

Import

Confirm BitBucket Server is working

After you finish all the configuration, you can refer to the BitBucket Server section in Git Providers guide and visit your Daytona dashboard to confirm the configuration is correct and working properly.

Google

In the section below we will guide you how to configure Google as an identity provider for your Daytona installation. You will need a registered Google cloud account, or a Google account associated with a Google cloud account.

Configure Google in Keycloak

Log into default realm in Keycloak

Log into your Keycloak’s Administration with credentials you obtained from the prerequisites section.
After you sign in, make sure you are on the default realm. You should see the homepage show Welcome to default at the center of the screen.
If not (the homepage shows scattered information with Server info with the title master realm), you can select default under the dropdown menu on the top left side of the homepage.

Obtain redirect URL

Under the default realm, click on Identity Providers under the Configure section on the left sidebar.
Then click on google (should be labeled with disabled at the moment).
On the next page, Provider details, copy the Redirect URI and note it down, as we will need it later. Don’t close this tab.

Configure OAuth consent screen in Google Cloud

Sign in to your Google Cloud console’s APIs and services with this link. Or on your Google Cloud console, click on the hamburger menu on the top left side of the page, then select APIs and services.
Click on OAuth consent screen on the left side of the page and select External in User Type. Click on CREATE.
For App name, we recommend using your Daytona deploy domain for easy recognition.
For User support email, use your IT support email (internal). It is for users to contact you with question about their consent.
You can skip filling in all information except Developer contact information. You can input multiple ones for Google to notify you about any changes to your project. Then SAVE AND CONTINUE

Add scopes to permissions

On the next page, click on ADD OR REMOVE SCOPES.
Search for email, profile and openid and select below values:

https://www.googleapis.com/auth/userinfo.email

https://www.googleapis.com/auth/userinfo.profile

openid

Click on UPDATE. and then SAVE AND CONTINUE on the main page.
You can add Test users based on your needs. During testing stage only testing user would be able to access the authenticated application. Click on SAVE AND CONTINUE to continue.
On the summary page, click on BACK TO DASHBOARD.

Create credentials

On the left click Credentials and then on the top click + CREATE CREDENTIALS.
Select OAuth client ID and select Web application as the application type.
Use a name you can correlate to the OAuth application you created for the Name field.
Under Authorized redirect URI, paste the Redirect URI you have copied from the previous step (from the Keycloak dashboard) into the Authorized redirect URIs field.
Then click on CREATE.

Configure Keycloak

Copy the Client ID and paste it into your Keycloak Provider details page in the Client ID section.
Copy the Client secret and paste it into your Keycloak Provider details page in the Client Secret section. Don’t close this tab.
You can (and should) download the JSON file and keep it somewhere safe for future reference.
Under Advance settings*, copy and paste the following value into the field Scope:

profile email openid

These permission scopes will allow us to access authenticated users’ email and authenticate account details.

Toggle the fields Store tokens and Trust Email to turn them on. You can compare your information to the table below to make sure the details are correctly configured.
On the top right side of the page, toggle the Disabled switch to Enabled.

Publish your OAuth application

Navigate back to Google Cloud console, on the left side of the page, click on OAuth consent screen.
Click on PUBLISH APP.

Google OAuth and Keycloak configuration details

Google VS. Keycloak Google OAuth Keycloak Provider Details

URL Authorized redirect URI Redirect URI

ID Client ID Client ID

Secrets Client secret Client Secret

Scopes

Google VS. Keycloak	Google OAuth	Keycloak Provider Details
URL	Authorized redirect URI	Redirect URI
ID	Client ID	Client ID
Secrets	Client secret	Client Secret
Scopes	profile email openid	`openid profile email`

profile
email
openid

openid profile email

Keycloak Advance Settings	Details
Store tokens	On
Accepts prompt=none forward from client	Off
Disable user info	Off
Trust Email	On
Hide on login page	Off
Verify essential claim	Off
First login flow (dropdown)	first broker login
Post login flow	None
Sync mode	Import

Keycloak Advance Settings

Details

Store tokens

Accepts prompt=none forward from client

Off

Disable user info

Off

Trust Email

Hide on login page

Off

Verify essential claim

Off

First login flow (dropdown)

first broker login

Post login flow

None

Sync mode

Import

Confirm Google is working

You can now open your Daytona dashboard on the browser and try to sign in with your Google account.

Azure Active Directory (now Microsoft Entra ID)

The following section will guide you through how to configure Azure as an identity provider for your Daytona installation. You will need a registered Azure account associated with a registered Microsoft Azure tenant. We assume you are familiar with Azure interface and have experience interacting with it.

Configure Azure Active Directory in Keycloak

Log into default realm in Keycloak

Log into your Keycloak’s Administration with credentials you obtained from the prerequisites section.
After you sign in, make sure you are on the default realm. You should see the homepage show Welcome to default at the center of the screen.
If not (the homepage shows scattered information with Server info with the title master realm), you can select default under the dropdown menu on the top left side of the homepage.

Obtain redirect URL

Under the default realm, click on Identity Providers under the Configure section on the left sidebar.
Then click on azure (should be labeled with disabled at the moment).
On the next page, Provider details, copy the Redirect URI and note it down, as we will need it later. Don’t close this tab.

Sign in to your Azure portal with this link. Or on your Azure portal, search for App registrations and then click on New registration.
For Name, we recommend using your Daytona deploy domain for easy recognition.
For Supported account types, you can choose an option based on your organisation needs. If you often have external contractors, select Accounts in any organizational directory.
Under the Redirect URI section, select Web and paste the Redirect URI you have copied from the previous step (from the Keycloak dashboard) into the Redirect URI input field.
Then click on Register.

Copy Client ID and secrets

You will then be redirected to the overview page of your application.
Copy the Application (client) ID and paste it into your Keycloak Provider details page in the Client ID section.
Under Certificates & secrets, click on New client secret. Copy the Value and paste it into your Keycloak Provider details page in the Client Secret section.

Configure Keycloak

Under Advance settings, copy and paste the following value into the field Scope:

openid profile email user.read

These permission scopes will allow us to access authenticated users’ email, account details, and authenticate users via their Azure account or Microsoft account.

Toggle the fields Store tokens and Trust Email to turn them on. You can compare your information to the table below to make sure the details are correctly configured.
Click Save.
On the top right side of the page, toggle the Disabled switch to Enabled.

Azure and Keycloak configuration details

Azure VS. Keycloak Azure Keycloak Provider Details

URL Redirect URI Redirect URI

ID Application (client) ID Client ID

Secrets Value (in Credentials in secrets) Client Secret

Scopes

Azure VS. Keycloak	Azure	Keycloak Provider Details
URL	Redirect URI	Redirect URI
ID	Application (client) ID	Client ID
Secrets	Value (in Credentials in secrets)	Client Secret
Scopes	openid profile email user.read	`openid profile email user.read`

openid
profile
email
user.read

openid profile email user.read

Keycloak Advance Settings	Details
Store tokens	On
Accepts prompt=none forward from client	Off
Disable user info	Off
Trust Email	On
Hide on login page	Off
Verify essential claim	Off
First login flow (dropdown)	first broker login
Post login flow	None
Sync mode	Import

Keycloak Advance Settings

Details

Store tokens

Accepts prompt=none forward from client

Off

Disable user info

Off

Trust Email

Hide on login page

Off

Verify essential claim

Off

First login flow (dropdown)

first broker login

Post login flow

None

Sync mode

Import

Confirm Azure is working

You can now open your Daytona dashboard on the browser and try to sign in with your Azure/Microsoft account.

Disable identity provider

In this section, we will walk you through how to disable an identity provider on Keycloak for your Daytona installation.

Sign into Keycloak

Go onto https://id.domain.com in the browser and click on Administration Console, then sign in with the credentials you’ve obtained while installing Daytona.

Select identity providers on the default realm

Once you sign in, confirm on the top left corner of the page that you are on the default realm. Select Identity providers under the Configure section.

Toggle disable

On the Identity providers page, click on the identity provider you wish to disable. You will then be directed to the Identity providers > Provider details > selected-identity-provider page. On the top right side of the configuration page, toggle Enabled to Disabled.

Delete Identity provider on Keycloak

Select identity providers on Keycloak

Go onto https://id.domain.com in the browser and click on Administration Console, then sign in with the credentials you’ve obtained while installing Daytona. Once you sign in, confirm that you are on the default realm. Select Identity providers under the Configure section.

Select delete

Once you are on the identity provider page, find your selected identity provider and click on the three dots ... button. On the dropdown menu select Delete.