How to auto login web apps / SSO

Hello all,

First off please excuse any wrong terminology in this post.
I’m completely new to SSO and KeyClock. Will be happy to add more details as needed.

I have several open source web apps / CMS configured with SAML and Keycloak. Wordpress and Nextcloud for example to name the 2 most widely known.

At the moment, when a user wants to sign in to Wordpress or Nextcloud, the option is to “direct login” or “login with SSO”.

Clicking on “login with SSO” directs to Keycloak, the user signs in and is directed back to Wordpress as authenticated user.

Next the user may switch to Nextcloud where he is again prompted to “direct login” or "login with SSO.
Clicking “login with SSO” now just shortly redirects to KeyCloak and right back to Nextcloud since the user is already authenticated from the Wordpress login.

This is great, but what I am looking to eliminate is the second login prompt.
The goal would be to “auto login” any user that has already signed in once to any of the web apps connected.

So for example if the user logged in to Wordpress already with SSO, then browsing to Nextcloud would not prompt to click “login with SSO” again.

Same idea for logout. When a user signs out from one web app, he/she should be logged out from all at the same time.

I assume there are several paths to achieve this. Is there a Keycloak side setting that this can be done with?

I don’t have the development skills to change the way the CMS side login works myself, but any ideas and pointers in the right direction would be greatly appreciated.

Thank you!

You aren’t going to be able to solve this problem purely on the Keycloak side. You’ll have to make some changes to the client application/CMS. I can’t say whether those would require dev work, or only configuration changes, but basically, in order for this to work, you’d have to take any unauthenticated users and automatically redirect them to Keycloak in order to begin an authentication flow.

If the user is already authenticated with Keycloak in this session, they can get redirected right back with a valid token in hand.

As far as logout goes, making sure you’ve de-authenticated the user everywhere is not entirely trivial. You can call the /logout URL, e.g. http://yourkeycloak.example.com/auth/realms/{realm-name}/protocol/openid-connect/logout but that will only invalidate the login session in Keycloak. If Wordpress and Nextcloud also have their own notions of an authentication session, you’ll have to find some way to clear those as well.

One way I’ve solved this in a webapp before is to have a “global logout” page that contains Javascript to hit all the various components’ logout URLs in the background.