# Break glass account

A break glass account is essential for maintaining access to Keycloak in emergencies when primary authentication methods fail, such as IdP downtime or SSO issues.

It typically has admin-level permissions and uses a local account username and password, ensuring access even if external IdPs are compromised, providing a crucial backup when normal authentication methods are unavailable.

## How to create a break glass account in Keycloak

{% hint style="warning" %}
Do not enable MFA on this account to ensure quick access during emergencies. Secure it with strong, unique passwords, monitor for unauthorized access, and audit its usage regularly.
{% endhint %}

1. Login to the target Spark tenant. Access the *Keycloak console* from the [Navigation menu](/navigation/navigation-menu.md#user-menu).
2. Log into the Keycloak Admin Console using your admin credentials.
3. Go to the *Users* section.
4. Click on **Add user**.
5. Fill in the username field and create the user.
6. Go to the *Credentials* tab.
7. Set a strong, unique password and ensure *Temporary* is toggled off.
8. Go to the *Groups* tab.
9. Click on the **Join Group** button.
10. Select `tenant-admin` and click **Join**.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.coherent.global/identity-and-access-management/break-glass-account.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.