diff --git a/infra/values/base/backstage-values.yaml b/infra/values/base/backstage-values.yaml
index 8b5f32a..e0a4a6c 100644
--- a/infra/values/base/backstage-values.yaml
+++ b/infra/values/base/backstage-values.yaml
@@ -61,6 +61,9 @@ upstream:
               clientId: ${AUTH_OIDC_CLIENT_ID}
               clientSecret: ${AUTH_OIDC_CLIENT_SECRET}
               prompt: auto
+              # Allow login before User entities exist in the catalog.
+              # Remove once org data is populated.
+              dangerouslyAllowSignInWithoutUserInCatalog: true
               signIn:
                 resolvers:
                 - resolver: emailMatchingUserEntityProfileEmail
@@ -84,6 +87,17 @@ upstream:
           - User
           - Domain
         providers:
+          # Auto-import users and groups from Keycloak
+          keycloakOrg:
+            default:
+              baseUrl: https://id.forteapps.net
+              realm: forte
+              clientId: ${AUTH_OIDC_CLIENT_ID}
+              clientSecret: ${AUTH_OIDC_CLIENT_SECRET}
+              schedule:
+                frequency: { minutes: 30 }
+                timeout: { minutes: 3 }
+                initialDelay: { seconds: 15 }
           # Auto-discover catalog-info.yaml from all Forte org repos
           gitea:
             forte: