Overview
When a Cloud environment is delivered, the following way of authentication is the default configuration.
* 
This configuration is also the default on-premise configuration; it uses form authentication for the Planon environment.
Planon authentication
Keycloak
Enabling Single Sign On (SSO) on a Cloud environment introduces Keycloak authentication. Keycloak can be configured to use different authentication sources.
By default, the authentication via Keycloak is configured as follows.
* 
This configuration needs to be adjusted by the customer according to the customer's specific (security) requirements. The default configuration only contains the supervisor user to be able to log in to Planon.
Keycloak authenticationKeycloak authentication
The following diagram shows the possible configuration options for authenticating users.
This includes the configuration that needs to be applied by the customer.
Overview of authentication optionsOverview of authentication options
The customer can choose to:
Add accounts to the Keycloak database for users to authenticate against Keycloak.
* 
This is not recommended!
Add Planon provider in Keycloak under User federation.
This way, users authenticate against the account in Planon database via Keycloak
Add a external IDP under Identity Providers in Keycloak.
This way, users authenticate against the external IDP of the customers choice via Keycloak.
* 
This is the recommended solution.