Keycloak SSO with JWT is this possible?

Question

We have a web application that uses Keycloak for authentication. and we need to add JWT as an SSO possibility.

Keycloak allows us to fairly easily set up SSO for our customers who mainly have some kind of SAML setup.

However a new system was sold to pretty much all our customers, this system also claims to provide sso.

however i dont really understand as they simply send a JWT (Json Web Token).

I dont see any way to set them up as an Identity provider with just that.

So I figured that perhaps if we add some JWT to the browser login flow, and then request account linking.

That looks like its pretty simple to setup in the admin console like so

I would like to know if something like this is even possible ?

if it is how do I assign my custom authenticator to my newly created "Portal JWT" flow.

I have been reading some of the keyclaok server development docs here

I have yet to try coding any of this as i am not remotely sure if my idea is even possible.

and the documentation also mentions that to deploy this supposed custom Authenticator I have to simply place it in the providers directory. that does not seem to exist any more.

I realize that this question contains no code, so i might be wrong in asking it here, but to me it just seem like the most fitting of the stack exchanges i know.

Stil feel free to correct me.

Answer 1

I'm not totally clear on your flow, but when it comes to "does Keycloak support SSO", the answer is most certainly yes.

You can use Keycloak in a couple of ways:

1. As an Identity Provider. Keycloak maintains identity and access information for your organization and provides it to a trusted third party. This allows your users to access that third party's system using your credentials.
2. As an Identity Broker. Keycloak adds 1 or more third party identity providers as trusted sources of identity. This allows users from trusted third party organizations to access your systems with their 3rd party credentials.

To do either of these, Keycloak supports both SAML and OIDC. SAML is XML-based. OIDC might be what you're referring to. OIDC uses signed JWT tokens (an access token and an id token) to convey identity information.

If someone is saying "send a JWT token", they're probably talking about the Keycloak-as-Identity-Broker use case. In order to integrate a 3rd party Identity Provider into your Keycloak identity broker, you'll need more than just their JWT tokens. Typically you'll need four things at a minimum: their authentication endpoint, their token endpoint, and the client_id and client_secret that they provide to you. This allows your Keycloak to trust their 3rd party IdP and it's what allows Keycloak to recognize, verify and use JWT tokens issued by them.