KeyCloak SSO with multiple legacy applications

tzengshinfu · November 24, 2023, 7:01am

Hello, folks:

We currently have several web and desktop applications that authenticate users using a username/password form POST with credentials from MS Active Directory, some systems store user authentication in their own databases.

Recently, stakeholders have requested that our systems implement SSO and MFA. During our technical evaluation, we found that KeyCloak appears to be an excellent tool for managing SSO/MFA across multiple heterogeneous systems.
At present, we’ve successfully connected KeyCloak (ver.20) with MS Active Directory (User federation). We’ve also discovered methods to log in/create client sessions (obtaining id_token/access_token) and log out/clean client session using API.

However, we are unsure how to achieve the following:
“After logging into system 1, how can a user automatically log in to system 2 in the same browser without re-entering the username/password?”
Without modifying system 2, is it possible to query KeyCloak using a token to obtain the user credentials (username/password) for system 2? (System 2 currently only accepts username/password login.)

Any advice would be greatly appreciated.

embesozzi · November 24, 2023, 6:57pm

The quick answer is:

Your apps are integrated with OIDC with Keycloak (No ROPC grant)
SSO means having an active IdP session cookie

The system 1 (client 1) performs a standard OIDC federation, the user completes the authn mechanism and then, the system 1 gets the tokens, and you have an IdP session
The system 2 (client 2) performs a standard OIDC federation but you achieve SSO because you have an active IdP session , and the system 2 obtains NEW tokens

tzengshinfu · November 28, 2023, 8:57am

Hello embesozzi,
Thank you for your answer. I’m trying to understand the hints in your response.
I think my direction should involve integrating ‘system2’ with the Keycloak JavaScript adapter .
However, I’m uncertain about the steps needed to ensure that when a user clicks the ‘Login’ button, the ‘IdP session cookie’ is transformed into user credentials (username/password) for logging into the old system.(Or perhaps I misunderstood.)

I’ll do more research.

embesozzi · November 28, 2023, 11:44am

Hi @tzengshinfu,
Yes, each system (app) will use an OIDC library for federation. I recommend checking OpenID Foundation certified libraries.

Lastly, when a user clicks in the login button, as I mentioned before, the app with an OIDC lbrary initiates redirection to the IdP to proceed with the authn step. Your KC authentication flow definition has the first step with the authn type “Cookie”. Therefore, due to the presence of an active and valid in the second login, KC will finish the authn as success without further steps. Consequently, the app will get the tokens (meaning the authz code, and the app negotiate the tokens). From the user perspective, this results in Single Sign-On (SSO).

tzengshinfu · November 29, 2023, 12:26am

Hello embesozzi,
Thank you for further explanation and suggestions on the libraries.

Topic		Replies	Views
Keycloak sso with discourse forum Getting advice oidc	4	251	October 31, 2023
Using OAuth2 with only 1 IDP Securing applications authentication , oidc	2	1021	February 10, 2020
Advice on how to integrate with authentication plugin Securing applications	0	484	February 24, 2020
Using Keycloak with several OIDC providers and several authorization services Getting advice authentication , ldap , oidc	0	381	October 6, 2021
OpenIDConnect based SSO between two sites	1	392	May 20, 2020

KeyCloak SSO with multiple legacy applications

Related Topics