SSO across subdomains

Greetings, I’m trying to get SSO working across subdomains (e.g., abc.company.com and xyz.company.com) but it’s not working.

My configuration includes the following:

  1. A proxy web server with a virtual host per subdomain that proxies Keycloak requests. The proxy includes the mod_auth_openidc adapter
  2. A Keycloak client for each subdomain. A request to a particular subdomain will access the associated Keycloak client.

Authentication in general is working as expected. I can successfully authenticate to both subdomains independently. What I can’t get working is if I authentication to one subdomain, I’m prompted to re-authenticate when accessing the other. That’s not what I’m expecting. Ideally, if I’m authenticated to one subdomain, I will not be prompted to re-authenticate to the other. It appears the issues is associated with the way Keycloak handles cookies; Each subdomain gets its own set of authentication cookies.

What am I doing wrong? Any suggestions would be greatly appreciated.

Thank you, Peter

Your setup is not clear, so only generic answer:

  • Keycloak is available on one domain only
  • Apps may have own domains, own oidc clients (but from the same realm)
  • Apps use flows, which create IdP session in the user browser e.g. grant code (+PKCE), implicit,…

Keycloak-gatekeeper may be a better solution for you.

Thank you jangaraj for replying. To answer your questions…

  • There is only one internet domain (e.g., company.com) and two subdomains: abc and xyz.
  • Only one realm is configured beyond the master. That realm includes keycloak clients for both subdomains.
  • If I enable debug logging, I can see that an expected cookie AUTH_SESSION_ID is not being found. If I look in the browser I can see the cookie is defined at the subdomain level and not the domain level.

I’ll take a look at gatekeeper, but I would have expected my use case to be common. Once again, thank you for answering and let me know if there’s anything specific I can provide (realm-export, client json, etc) that would be helpful.

How is SSO configured between keycloak clients? Will two clients automatically be able to participate in SSO? Is there anything special that needs to be done? It’s very possible I’m misunderstanding something.

Thanks again, Peter

User browser has IdP session = some cookies per Keycloak domain/path. You are mentioning subdomains, but it is still not clear if they are KEYCLOAK or APP (sub)domains. See Google example - there is one IdP domain https://accounts.google.com/ and there can be many (un)related app domains/subdomains.

You must have ONE domain for Keycloak. I believe you have exposed Keycloak on two (sub)domains, because If I look in the browser I can see the cookie is defined at the subdomain level and not the domain level.

So pls use one domain for Keycloak, e.g. authn.company.com or configure your apps to use one domain only. App domains can be subdomains of Keycloak domain (app.authn.company.com) but they can be absolutely unrelated (my.app.hosteddomain.com). But all apps from these app domains must redirect users to authenticate to that single Keycloak domain (app.authn.company.com).

How did you setup your keycloak/app domains/subdomains?

1 Like

Thank you jangaraj. You’re understanding my scenario very well. I now understand that I need one domain for keycloak. It’s much clearer to me now. Thanks again, Peter