diff --git a/docs/modules/ROOT/pages/how-tos/cloudscale/decommission.adoc b/docs/modules/ROOT/pages/how-tos/cloudscale/decommission.adoc
index 565cd0d6..587e925c 100644
--- a/docs/modules/ROOT/pages/how-tos/cloudscale/decommission.adoc
+++ b/docs/modules/ROOT/pages/how-tos/cloudscale/decommission.adoc
@@ -143,21 +143,7 @@ At this point in the decommissioning process, you'll have to extract the Restic
 
 . Delete all other Vault entries
 
-. Delete LDAP service (via portal)
-+
-Go to https://control.vshn.net/vshn/services
-+
-- Search cluster name
-+
-- Delete cluster entry service using the delete button
-
-. Remove IPs from LDAP allowlist
-+
-Edit https://git.vshn.net/vshn-puppet/vshn_hieradata/-/blob/master/corp/prod/ldap.yaml
-+
-- Search cluster IPs and remove those lines and any comments related.
-+
-- Create a Merge Request and invite a colleague for a review/approve/merge
+include::partial$decommission/idp.adoc[]
 
 . Delete all DNS records related with cluster (zonefiles)
 
diff --git a/docs/modules/ROOT/pages/how-tos/cloudscale/install.adoc b/docs/modules/ROOT/pages/how-tos/cloudscale/install.adoc
index 680653f2..eb474aa9 100644
--- a/docs/modules/ROOT/pages/how-tos/cloudscale/install.adoc
+++ b/docs/modules/ROOT/pages/how-tos/cloudscale/install.adoc
@@ -195,9 +195,9 @@ vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/floaty \
 vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/registry \
   httpSecret=$(LC_ALL=C tr -cd "A-Za-z0-9" </dev/urandom | head -c 128)
 
-# Set the LDAP password
-vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/vshn-ldap \
-  bindPassword=${LDAP_PASSWORD}
+# Set the Keycloak client secret
+vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/oidc/vshn-keycloak \
+  clientSecret=${KEYCLOAK_CLIENT_SECRET}
 
 # Generate a master password for K8up backups
 vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/global-backup \
diff --git a/docs/modules/ROOT/pages/how-tos/exoscale/decommission.adoc b/docs/modules/ROOT/pages/how-tos/exoscale/decommission.adoc
index de71f295..5c7ea49d 100644
--- a/docs/modules/ROOT/pages/how-tos/exoscale/decommission.adoc
+++ b/docs/modules/ROOT/pages/how-tos/exoscale/decommission.adoc
@@ -124,6 +124,6 @@ NOTE: Don't forget to remove the LB configuration in the https://git.vshn.net/ap
 
 . Remove cluster DNS records from VSHN DNS
 
-. Remove cluster IPs from LDAP allowlist, if applicable
+include::partial$decommission/idp.adoc[]
 
 . https://kb.vshn.ch/vshnsyn/how-tos/decommission.html[Decommission cluster in Project Syn]
diff --git a/docs/modules/ROOT/pages/how-tos/exoscale/install.adoc b/docs/modules/ROOT/pages/how-tos/exoscale/install.adoc
index 3ea28403..d165581e 100644
--- a/docs/modules/ROOT/pages/how-tos/exoscale/install.adoc
+++ b/docs/modules/ROOT/pages/how-tos/exoscale/install.adoc
@@ -219,9 +219,9 @@ vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/exoscale/storage_iam \
 vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/registry \
   httpSecret=$(LC_ALL=C tr -cd "A-Za-z0-9" </dev/urandom | head -c 128)
 
-# Set the LDAP password
-vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/vshn-ldap \
-  bindPassword=${LDAP_PASSWORD}
+# Set the Keycloak client secret
+vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/oidc/vshn-keycloak \
+  clientSecret=${KEYCLOAK_CLIENT_SECRET}
 
 # Generate a master password for K8up backups
 vault kv put clusters/kv/${TENANT_ID}/${CLUSTER_ID}/global-backup \
diff --git a/docs/modules/ROOT/partials/decommission/idp.adoc b/docs/modules/ROOT/partials/decommission/idp.adoc
new file mode 100644
index 00000000..0fa30a99
--- /dev/null
+++ b/docs/modules/ROOT/partials/decommission/idp.adoc
@@ -0,0 +1,33 @@
+. Delete the IDP service
++
+[%collapsible]
+.LDAP
+====
+. Delete LDAP service (via portal)
++
+Go to https://control.vshn.net/vshn/services
++
+- Search cluster name
++
+- Delete cluster entry service using the delete button
+
+. Remove IPs from LDAP allowlist
++
+Edit https://git.vshn.net/vshn-puppet/vshn_hieradata/-/blob/master/corp/prod/ldap.yaml
++
+- Search cluster IPs and remove those lines and any comments related.
++
+- Create a Merge Request and invite a colleague for a review/approve/merge
+====
++
+[%collapsible]
+.Keycloak
+====
+. Delete Keycloak client
++
+Go to https://TBD
++
+- Search cluster name
++
+- Delete cluster client using the delete button
+====
diff --git a/docs/modules/ROOT/partials/install/prepare-syn-config.adoc b/docs/modules/ROOT/partials/install/prepare-syn-config.adoc
index a78ae5b3..a4dbecd1 100644
--- a/docs/modules/ROOT/partials/install/prepare-syn-config.adoc
+++ b/docs/modules/ROOT/partials/install/prepare-syn-config.adoc
@@ -30,7 +30,7 @@ yq eval -i ".parameters.openshift.clusterID = \"$(jq -r .clusterID "${INSTALLER_
 yq eval -i ".parameters.openshift.ssh_key = \"$(cat ${SSH_PUBLIC_KEY})\"" \
   ${CLUSTER_ID}.yml
 
-yq eval -i ".parameters.vshnLdap.serviceId = \"${LDAP_ID}\"" \
+yq eval -i ".parameters.vshnKeycloak.clientId = \"${KEYCLOAK_CLIENT_ID}\"" \
   ${CLUSTER_ID}.yml
 ----
 +
diff --git a/docs/modules/ROOT/partials/install/register.adoc b/docs/modules/ROOT/partials/install/register.adoc
index c7f16fd5..ee332e1f 100644
--- a/docs/modules/ROOT/partials/install/register.adoc
+++ b/docs/modules/ROOT/partials/install/register.adoc
@@ -7,16 +7,6 @@ Use the following endpoint for Lieutenant:
 VSHN:: https://api.syn.vshn.net
 ****
 
-=== Set up LDAP service
+=== Set up Keycloak client
 
-. Create an LDAP service
-+
-Use https://control.vshn.net/vshn/services/_create to create a service.
-The name must contain the customer and the cluster name.
-And then put the LDAP service ID in the following variable:
-+
-[source,bash]
-----
-export LDAP_ID="Your_LDAP_ID_here"
-export LDAP_PASSWORD="Your_LDAP_pw_here"
-----
+include::partial$setup-keycloak-client.adoc[]
diff --git a/docs/modules/ROOT/partials/setup-keycloak-client.adoc b/docs/modules/ROOT/partials/setup-keycloak-client.adoc
new file mode 100644
index 00000000..0102c13c
--- /dev/null
+++ b/docs/modules/ROOT/partials/setup-keycloak-client.adoc
@@ -0,0 +1,26 @@
+. Create a new Keycloak client in the `VSHN` realm with the following settings:
++
+[source]
+----
+Client ID = ocp_<customer>_<c-cluster-id> <1>
+Access Type = confidential
+Valid Redirect URIs = https://oauth-openshift.apps.cluster-id.tld/oauth2callback/VSHN <2>
+Base URL = https://console-openshift-console.apps.cluster-id.tld/ <3>
+----
+<1> Create a separate client for each cluster.
+The client ID shall use the format `ocp_<customer-name>_<cluster-id>`.
+<2> The Redirect URI assumes that the authentication method in the OpenShift cluster is named `VSHN`.
+<3> Adjust the Base URL to match the desired web console URL of your cluster.
++
+Use https://TBD to create a client.
+The name must contain the customer and the cluster name.
++
+TODO: Add required config for authentication flow & mappers
+
+. Save the Keycloak client details (client ID and secret) in the following variables for subsequent steps.
++
+[source,bash]
+----
+export KEYCLOAK_CLIENT_ID="Your_client_ID_here"
+export KEYCLOAK_CLIENT_SECRET="Your_client_secret"
+----