Social & OIDC
Single sign-on (SSO) & federation
Let users sign in with an identity they already have. Keycloak (which powers your user pool) brokers external providers and federates directories.
SAML 2.0
LDAP / AD
Brokering vs. federation
Section titled “Brokering vs. federation”- Brokering (Google/Facebook/OIDC/SAML) — the user authenticates at the external IdP; Keycloak then issues its own tokens to your app. Best for “Log in with Google/Okta.”
- Federation (LDAP/AD) — Keycloak reads users from a directory as if they were local.
The one value every broker needs: the redirect URI
Section titled “The one value every broker needs: the redirect URI”Every social/OIDC/SAML provider asks for a redirect URI (a.k.a. callback / ACS URL). For a SavvyTechies user pool it is always:
https://<your-auth-domain>/realms/<realm>/broker/<alias>/endpoint<your-auth-domain>—auth.savvytechies.com, or your custom domain.<realm>— your user-pool name (e.g.acme-prod).<alias>— the provider alias you choose (e.g.google,facebook,okta).
Example: https://auth.savvytechies.com/realms/acme-prod/broker/google/endpoint
Two ways to add any provider
Section titled “Two ways to add any provider”- Ask the assistant — e.g. “Add Google login to acme-prod” or “Add a SAML identity provider for acme-prod using metadata https://idp.example.com/metadata.” It stages a dry-run and applies on your confirmation.
- Keycloak admin console — realm → Identity providers → Add provider → pick the type.
- In the Google Cloud Console → APIs & Services → Credentials → Create credentials → OAuth client ID → Web application.
- Add the Authorized redirect URI:
https://auth.savvytechies.com/realms/acme-prod/broker/google/endpoint - Copy the Client ID and Client secret.
- In Keycloak: Identity providers → Google, paste the Client ID + secret, save.
Default scopes are openid profile email. See the Keycloak
Google provider docs.
- In Meta for Developers → create an app → add Facebook Login.
- Under Facebook Login → Settings, add the Valid OAuth Redirect URI:
https://auth.savvytechies.com/realms/acme-prod/broker/facebook/endpoint - From App settings → Basic, copy the App ID and App secret.
- In Keycloak: Identity providers → Facebook, paste App ID (Client ID) + App secret (Client secret), save.
See the Keycloak Facebook provider docs.
Microsoft Entra ID (Azure AD) & other OIDC
Section titled “Microsoft Entra ID (Azure AD) & other OIDC”Microsoft Entra, Okta, Auth0, or any spec-compliant OpenID Connect provider use the generic OpenID Connect v1.0 provider.
- Register an application with the provider; set the redirect URI to
https://auth.savvytechies.com/realms/acme-prod/broker/oidc/endpoint. - Get the Client ID, Client secret, and the provider’s discovery URL
(
.../.well-known/openid-configuration). - In Keycloak: Identity providers → OpenID Connect v1.0. Paste the discovery URL into Import from URL to auto-fill the endpoints, then add the Client ID + secret.
See OpenID Connect v1.0 identity providers.
SAML 2.0 (Okta, Ping, ADFS, OneLogin…)
Section titled “SAML 2.0 (Okta, Ping, ADFS, OneLogin…)”- In your SAML IdP, create a new SAML app. Give it these Service Provider (SP) values —
Keycloak’s SP metadata is at
https://auth.savvytechies.com/realms/acme-prod/broker/saml/endpoint/descriptor:- ACS / Reply URL:
https://auth.savvytechies.com/realms/acme-prod/broker/saml/endpoint - Entity ID / Audience:
https://auth.savvytechies.com/realms/acme-prod
- ACS / Reply URL:
- Download the IdP metadata XML (or note the SSO URL + signing certificate).
- In Keycloak: Identity providers → SAML v2.0, paste the IdP metadata URL into Import from URL (or upload the XML). Set NameID policy format to match your IdP (usually email or persistent).
See SAML v2.0 identity providers.
LDAP / Active Directory (federation)
Section titled “LDAP / Active Directory (federation)”Federate an existing corporate directory so its users can sign in without a copy of their credentials in Keycloak.
- In Keycloak: realm → User federation → Add Ldap provider.
- Set the Connection URL (
ldaps://ad.corp.example.com:636— use LDAPS), Bind DN, and Bind credential (a read service account). - Set Users DN (e.g.
ou=users,dc=corp,dc=example,dc=com) and the vendor (Active Directory / other). Test the connection and authentication. - Choose an Edit mode (READ_ONLY is safest) and, optionally, enable periodic sync.
See LDAP.
After a provider is added
Section titled “After a provider is added”- First-login flow — on a user’s first brokered login Keycloak runs the first broker login flow (review profile, optionally link to an existing account by email).
- Account linking — if a user already exists with the same email, Keycloak can link the external identity to it rather than creating a duplicate.
- Mappers — map IdP claims/attributes (groups, roles, name) onto the Keycloak user with identity provider mappers.