Configuration in the Keycloak Web Console

Login to your Keycloak instance with administrator privileges and enter the Administration Console

Select the realm of the users who should be synchronized and click on Clients in the left-hand navigation bar.
Click on the Create client button of the client view to register a new client for the User & Group Sync connector

Provide a name for the Client ID and make sure that the Client type is OpenID Connect and click on Next.

In the Capability config tab, enable both the Client authentication and Authorization options, and have the other options as the following screenshot, then click on Next:

Keep the settings in the next tab as is, and click on Save.

The following assignment might not be required when registering a client in the master realm.

Switch to the Service account roles tab and click on the Assign role button.

Select "Filter by clients" and search for "manage-users" then click enter. Choose "realm-management / manage-users" and click on Assign.

The settings should look like the below now:

Go to the Credentials tab, and copy the Client secret. You may regenerate it at any time. 

Configuration in User & Group Sync Configuration page

Navigate to the administration console for Jira, Confluence, or Bitbucket 

Confluence: search for USERS & SECURITY under which you'll find User & Group Sync
Jira: navigate to the User management tab in which you'll find User & Group Sync
Bitbucket: navigate to Administration/ Accounts
 you'll find User & Group Sync listed here

Click on Add Connector and choose Keyloak Connector.

Set a name, insert your Keycloak URL appending /auth at the end, and provide

  • realm name
  • client-id
  • secret

as per your Keycloak setup earlier. Use the Save and Test Connection button to check if User Sync can connect to Keycloak successfully.

To schedule a periodic synchronization of your Keycloak directory with User & Group Sync, click on Show Advanced Settings at the very bottom of the page.
Enable Scheduled Synchronization needs to be checked, the default cron expression would then cause a sync every day at 2 am.

Click Save and Return to finish the configuration.

You are now ready to commence either a simulated or a full sync. By simulating the sync first you will be able to verify your configuration and see what changes User Sync would apply like what users will be added, modified, or not modified. With the full sync, User Sync will apply those changes. Both sync actions will run a full sync and will have the same sync duration. For more information on the sync simulation please refer to Using the Simulated Sync Feature.

Please read here, if you already have users in your system which you want to migrate, without losing their history. Don't hesitate to reach out to, if you need any help with achieving this. 

Additional Resources: