What are the pre-requisite to have SSO with a separate key store?