Enable Keycloak SSO for Nightingale Monitoring with OAuth2/OIDC

In medium‑to‑large enterprises, unified identity authentication is essential for security and user experience. Operations teams must not only keep systems stable but also standardize and automate infrastructure. This article explains how to configure Keycloak for OAuth2/OIDC single sign‑on (SSO) with Nightingale monitoring.

Prerequisites

Deployed and reachable Keycloak server (container version 26.4 in this example).

Deployed Nightingale monitoring instance (v8.3.1).

Network connectivity between Nightingale and Keycloak.

Keycloak Configuration

The process consists of two main steps: creating a client and creating a user.

Tip: The client is used by the application to connect to Keycloak, while the user represents the login credentials for the application.

Create Client

Navigate to Manage → Clients → Create client.

General settings:

Client type: OpenID Connect Client ID: custom ID, e.g., n9e-server Capability config:

Client authentication: enable OIDC client type.

Authorization: enable fine‑grained authorization support.

Login settings:

Root URL: set to the Nightingale address.

Valid redirect URIs: set the callback URL for Keycloak to redirect to Nightingale after login.

Save the client.

Retrieve the client secret; it will be needed in Nightingale configuration.

Create User

Navigate to Manage → Users → Add user.

Fill in user details: Username, Email, First name, Last name.

Set password under Credentials → Set password:

Password and confirmation.

Temporary: choose whether the user must change the password on first login.

Save the user.

Nightingale Configuration

Configure Nightingale to use the newly created Keycloak client.

System Settings → Single Sign‑On → OIDC.

Enter the following configuration (replace placeholders with actual values):

Enable = true
DisplayName = 'OIDC登录'
RedirectURL = 'http://{{NightingaleAddress}}/callback'
SsoAddr = 'https://{{KeycloakAddress}}/realms/{{realmName, default master}}'
SsoLogoutAddr = 'https://{{KeycloakAddress}}/realms/{{realmName, default master}}/protocol/openid-connect/logout?post_logout_redirect_uri=http://{{NightingaleAddress}}/login&client_id={{NightingaleClientId}}'
ClientId = '{{NightingaleClientId}}'
ClientSecret = '{{NightingaleClientSecret}}'
CoverAttributes = true
DefaultRoles = ['Guest']
Scopes = ['openid', 'profile', 'email', 'phone']

[Attributes]
Username = 'preferred_username'
Nickname = 'name'
Phone = 'phone_number'
Email = 'email'

Tip: The Valid redirect URIs should include two addresses: the callback URL after successful login and the login page URL after logout.

Start Keycloak before launching Nightingale, as Nightingale depends on the Keycloak service.

Verification

After configuration, test the SSO flow:

Login via Nightingale – you should be redirected to Keycloak for authentication.

Logout – you should be returned to Nightingale’s login page.

Conclusion

By integrating Keycloak with Nightingale, the monitoring system now participates in the enterprise’s unified identity governance, moving operations from passive response to proactive management. Future plans include adding Grafana, Jenkins, and K8s Dashboard to the same SSO setup, creating a true "operations console".