search
About CoherentAPI referenceSupportYouTube

Break glass account

A break glass account is essential for maintaining access to Keycloak in emergencies when primary authentication methods fail, such as IdP downtime or SSO issues.

It typically has admin-level permissions and uses a local account username and password, ensuring access even if external IdPs are compromised, providing a crucial backup when normal authentication methods are unavailable.

hashtag
How to create a break glass account in Keycloak

circle-exclamation

Do not enable MFA on this account to ensure quick access during emergencies. Secure it with strong, unique passwords, monitor for unauthorized access, and audit its usage regularly.

  1. Login to the target Spark tenant. Access the Keycloak console from the User menu.

  2. Log into the Keycloak Admin Console using your admin credentials.

  3. Go to the Users section.

  4. Click on Add user.

  5. Fill in the username field and create the user.

  6. Go to the Credentials tab.

  7. Set a strong, unique password and ensure Temporary is toggled off.

  8. Go to the Role Mappings tab.

  9. Click on the Assign Role button and select Filter by clients.

  10. Assign the following roles to this user:

    • view-identity-providers

    • manage-identity-providers

    • view-authorization

    • manage-authorization

  11. Go to the Groups tab.

  12. Click on the Join Group button.

  13. Select tenant-admin and click Join.

Last updated