Outline + Keycloak SSO: Build a Secure Team Wiki with Single Sign-On

I spent two days setting up Outline for my team's documentation. Beautiful wiki, real-time collaboration, Markdown support. Then someone asked: "How do we log in?" That's when I realized Outline doesn't have built-in authentication. No username/password form. Nothing. You need an external identity provider.

If you're smarter than me (likely), you'll plan the authentication before deploying the wiki. Here's exactly how to wire up Outline with Keycloak for single sign-on, so your team gets one login for everything.

Why Outline Needs Keycloak

Outline is an open-source knowledge base that's honestly one of the best Notion alternatives out there. Real-time collaboration, nested collections, full-text search, a clean API. But it was designed to delegate authentication entirely. No local accounts, no built-in login page.

Keycloak fills that gap perfectly. It's an open-source identity and access management platform from Red Hat that handles OIDC, SAML, user federation, MFA, and more. Connect Outline to Keycloak once, and every team member authenticates through a centralized login. Add more apps later? Same login. That's the real power of SSO.

The Quick Way: Deploy Both on Elestio

Before we get into the configuration details, here's the shortcut. Both Outline and Keycloak are available as fully managed services on Elestio. You get working instances in under three minutes, with automated SSL, backups, and monitoring included.

For this stack, two NC-MEDIUM instances (2 CPU / 4 GB RAM each) on Netcup will run you about $32/month total. That's both services, fully managed, with NVMe storage. Compare that to per-user SaaS pricing on Notion or Confluence, and the math gets very friendly very quickly.

Setting Up Keycloak (The Identity Provider)

Once your Keycloak instance is running, you need to configure it as the OIDC provider for Outline. Here's the step-by-step.

Create a Realm

Log into the Keycloak admin console. Create a new realm called outline (or use your existing one if you already have Keycloak running for other services). Realms are isolated authentication spaces, so this keeps your wiki users separate if needed.

Create the Client

Inside your realm, create a new client:

• Client ID: outline-wiki
• Client type: OpenID Connect
• Client authentication: ON (this makes it a confidential client)
• Direct access grants: OFF

Configure Redirect URIs

In the client settings, set these URLs (replace with your actual Outline domain):

The callback URL is critical. If it's wrong, you'll get a vague "redirect_uri_mismatch" error that tells you nothing useful.

Grab Your Credentials

Go to the Credentials tab of your client and copy the Client Secret. You'll need this for Outline's environment variables.

Then find your OIDC endpoints: go to Realm Settings > General > Endpoints and click "OpenID Endpoint Configuration." The URL will look like:

https://keycloak.yourdomain.com/realms/outline/.well-known/openid-configuration

Create Your First User

Under the Users section, create at least one user with an email address and first name (Outline requires both). Set a password in the Credentials tab.

Configuring Outline for OIDC

Now for the Outline side. You need to add the OIDC environment variables to your Outline configuration. If you're on Elestio, edit the .env file in your Outline project directory:

cd /opt/app
nano .env

Add these OIDC variables:

OIDC_CLIENT_ID=outline-wiki
OIDC_CLIENT_SECRET=your-keycloak-client-secret
OIDC_AUTH_URI=https://keycloak.yourdomain.com/realms/outline/protocol/openid-connect/auth
OIDC_TOKEN_URI=https://keycloak.yourdomain.com/realms/outline/protocol/openid-connect/token
OIDC_USERINFO_URI=https://keycloak.yourdomain.com/realms/outline/protocol/openid-connect/userinfo
OIDC_DISPLAY_NAME=Keycloak
OIDC_USERNAME_CLAIM=preferred_username
OIDC_SCOPES=openid profile email

Save the file and restart Outline:

docker-compose restart outline

Verify it came back up cleanly:

docker-compose logs -f outline

Look for a line confirming the server is listening. Then load your Outline URL. You should see a "Continue with Keycloak" button on the login page. Click it, authenticate through Keycloak, and you're in.

The Part Everyone Messes Up

Here's where I can save you some debugging time.

Redirect URI mismatch. The callback URL in Keycloak must be exactly https://outline.yourdomain.com/auth/oidc.callback. No trailing slash. No HTTP. Exactly that.

Users can't log in. Keycloak users need both an email and a first name set. Outline won't create an account without them. If you get a blank error after authentication, check the user profile in Keycloak.

HTTPS issues behind a proxy. If you're running behind Nginx (which Elestio handles automatically), make sure FORCE_HTTPS=true is set in Outline and KC_PROXY=edge is set in Keycloak. Without these, token exchange fails silently because the URLs don't match.

"Invalid token" after login. This usually means the client secret in Outline doesn't match what Keycloak has. Regenerate it in Keycloak's Credentials tab and update Outline's config.

Going Further: SSO for Your Entire Stack

This is where the setup really pays off. Once Keycloak is running, you can add SSO to every other self-hosted service: Gitea, Grafana, Nextcloud, Mattermost. One login for your entire infrastructure.

On Elestio, you can deploy all of these as managed services and point them all at the same Keycloak realm. Your team gets a single identity across every tool, and you get centralized user management, audit logs, and MFA, all without managing the infrastructure yourself.

Deploy Outline on Elestio and Keycloak on Elestio to get started in minutes.

Thanks for reading! See you in the next one.