How to delegate authentification with roles exchange in custom token?

May be my concise question should be : what is the best way to offer an sso on various existing applications using their own IDP. But I will guive you some context and my ideas to have hopefully some feedback and advices.

We are delivering with another partner two eco-systems that have to be seen as one.
All the backoffice applications are js-spa applications using backend microservices with custom roles.
As the customer need one simple system to manage, he need sso : from a UI portal, he could access all the application he need by login only once.
Here a schematic view :

The portal will use a dedicated Keycloack IDP and our system also have its own IDP.
I need some advice on how to configure the solution for our system and points to be carefull about.

  • I think that in order to achieve my goal : our Keycloack should be declared as client in the Main Keycloack IDP.
  • our JS SPA application should not know about the main IDP
  • Our Keycloack IDP should also be able to map the broad generic roles assigned to the user on the main Keycloack Idp in order to include in the token used by our applications the specific roles required by them in our system.
    Any help on this will be great.