Access & Authentication
How users access BullSequana AI and how Keycloak is used in the platform.
Identity Model
BullSequana AI uses Keycloak as the platform access layer.
Its main purpose is to federate with your existing enterprise identity system, not to become the long-term source of identity for your organization.
In a production setup, users should normally authenticate through the identity provider your organization already uses, for example:
Microsoft Entra ID- another
Keycloakinstance LDAPorActive Directory- another corporate identity provider integrated through standard federation flows
This means BullSequana AI can rely on your current identity model while still enforcing platform-level authentication, SSO, and access control.
What Users Experience
For most users, access works as follows:
- open the BullSequana AI URL for your deployment
- get redirected to the configured identity provider
- authenticate with your existing enterprise account
- return to the platform with the permissions granted to your user and groups
This gives users a single sign-on experience across the platform instead of separate accounts for each service.
Why Keycloak Is Used
Within BullSequana AI, Keycloak is used to:
- federate authentication with enterprise identity systems
- provide single sign-on across platform services
- manage application clients and login flows
- support role and group-based access patterns used by the platform
The important point is that Keycloak is typically the broker and control point for access, not the business system of record for user identities.
How Components Get SSO
You do not need to configure Keycloak clients manually for each platform service. The platform handles this automatically.
When a component is deployed and SSO is enabled for it, the deployment layer creates Argo CD hook jobs that:
- register the component as an OIDC client in Keycloak (with the correct redirect URIs, scopes, and protocol mappers)
- create any groups and roles the component needs
- assign group-role mappings and service account permissions
- clean up all of the above when the component is removed
This means every SSO-enabled component (such as Grafana, PgAdmin, MinIO, Langfuse, MLflow, Temporal, Superset, and the CoreAI services) gets a working login flow as soon as it is deployed, with no manual Keycloak administration required.
Controlling SSO per component
Each component has an sso_enable flag in the deployment configuration that defaults to true. Setting it to false deploys the component without Keycloak integration. This is useful for:
- air-gapped or restricted environments where Keycloak is not available
- development clusters where SSO is not yet configured
- specific components that should use an alternative authentication method
For details on how to set these flags, see the Configuration Model.
Two-Factor Authentication
If your deployment requires stronger access protection, Keycloak can also enforce two-factor authentication.
This adds a second login step beyond the password, usually through an authenticator application.
Typical benefits:
- stronger protection against password reuse or credential theft
- better alignment with enterprise security requirements
- safer access to platform services and administrative interfaces
Development And Demo Clusters
In development or demo clusters, federation may not be configured yet. In those cases, a user can be created directly in Keycloak for testing or evaluation purposes.
This is a convenience setup for non-production environments, not the target production access model.
Create a user manually in Keycloak
- open the Keycloak admin console
- switch to the
dataplatformrealm - go to
Users - select
Create user - fill in at least:
UsernameEmailFirst nameLast name
- create the user
- open the user's
Credentialstab - add a password for the account
After that, the user can log in with the credentials created for that environment.