Phonemos User Guide

Manual User Creation without Single Sign On (SSO)

Phonemos supports both Single Sign-On (SSO) and manual user account creation
If your organization does not use an external Identity Provider, administrators can still add users securely through Keycloak, the identity management system used by Phonemos.

In this setup, users are created manually and receive a password reset email, allowing them to securely set their own password.

When is manual user creation useful?

Manual user creation is helpful in scenarios such as:

  • Small teams or pilot installations where no central identity provider exists.

  • External users or partners who should access Phonemos but are not part of your company directory.

  • Testing environments where administrators want to quickly create accounts.

How manual user creation works

User accounts are created through the Keycloak administration interface connected to your Phonemos instance.

The process works as follows:

  1. Click on the cog wheel on the top right (Phonemos instance administrator permission needed) and open the Keycloak Admin Console by clicking on Manage User

  2. Click Add user

  3. Enter the required information:

    • Leave Required user actions blank as it is

    • Username

    • Email address

    • First name and last name

    • Important: Email verified needs to be checked on, otherwise the user will not be able to login

    • Join them to the groups that match this user type

  4. Save the new user by clicking on Create

After the user has been created:

  1. Switch to the “Credentials”-Tab and click on “Credential Reset”

  2. Under “Reset Actions”, choose “Update Password”

  3. Set the time when the link shall expire and click on “Send Email”

  4. The user sets their password and can then log in to Phonemos normally.

This ensures that administrators never need to set or see user passwords.

Security considerations

Manual login via Keycloak still provides strong security options:

  • Secure password policies

  • Optional two-factor authentication (2FA)

  • Email-based password reset flows

  • Centralized identity management via Keycloak

These features ensure that manual accounts remain secure and manageable, even without SSO.

Important note

If your organization later introduces an Identity Provider (such as Azure AD, Okta, or Google Workspace), Phonemos can easily switch to Single Sign-On authentication, allowing users to log in with their company credentials.



For more information, please watch this video: