Cross-Realm Single Sign-On

Hello,
we have different Subsystems and thought that it would be a good idea to set up a broker per subsystem. But then we found out that Keycloak SSO (login once and jump to another frontend without reentering credentials) is only possible if all clients/frontends are configured in the same realm.

I am very interested to know what the reasons are for the current implementation. Is it a missing feature or is this a security feature that the SSO is only allowed for clients of one realm?

Does someone know where I can find more informations about that? E.g. a specification how to implement that cross-realm SSO and how to extend Keycloak? Or a Specification that describes why it is not allowed to do that?

Best regards,
Hermann

1 Like

That depends on the realm defition, see doc and you will find:

A realm manages a set of users, credentials, roles, and groups. A user belongs to and logs into a realm. Realms are isolated from one another and can only manage and authenticate the users that they control.

Hello,
thanks for the answer. I know that it is currently not possible and I have understood Keycloaks realm concept. And we plan to build up a System with an Identity Provider and one or multiple Brokers. There it is for example possible to link users and build a relationship between 2 realms - one in the IP and one in the Broker. That’s why I am asking myself - if this is possible, why is the cross-realm not possible?

My question is, why is it not possible. Is it a feature that Keycloak has not implemented? Or does it contradict a security requirement? Or is there another reason?

Best regards,
Hermann

There is no reason, it’s just a design decision, which was done some years ago. Realms are isolated from each other. Period.

Ok, thank you for the information.

Is anyone aware of a specification on how to safely implement a cross-realm SSO based on OpenID Connect/OAuth2 - similar to the Identity Brokering implementation? For example, in the WS-Federation specification I have seen many flows, but no SS-On.

Best regards,
Hermann

Cross realm identity brokering?

1 Like

We’d also be interested if it would be possible to overcome the realm isolation with “cross realm” identity brokering with regards to SSO (and also Single Sign-Out). Has anyone tested this successfully?

We provide SSO from a users perspective with identity brokering and token exchange. So if a user logged in to an app in realm A wants to “jump” to an app in realm B, they click a link in app A which passes an access token to app B which exchanges it for an access token of realm B and the user is logged in to app B with the exchanged token.

I can confirm that identity brokering “enables” SSO between realms in the respective direction.