How to allow Single Sign-On for al clients in keycloak

Question

I am doing the integration for different platforms and I am using keycloak as IDP. I have created for each platform different clients which are using SAML protocol. I have the users in keycloak matching with user details in my systems, so now I need to do SSO for all the clients when I do login with a common user, means I have system A, system B, and system C, now I have for example user example@example.com which is a common user by all the systems. Once I logged in into system A with the credential of user example@example.com I need to be logged in system B and system C as well. It's working separately for each system

Answer 1

Question: How to allow Single Sign-On for all clients in keycloak?

I am doing the integration for different platforms and I am using keycloak as IDP. I have created for each platform different clients which are using SAML protocol.

Once I logged in into system A with the credential of user example@example.com I need to be logged in system B and system C as well. It's working separately for each system.

Answer:

(1) Keycloak is an open source software product to allow single sign-on with Identity Management and Access Management aimed at modern applications and services.

(2) SAML utilizes user agent (such as web browser) to federate the user info (or user identity) from SAML IdP (Identity Provider) to SAML SP (Service Provider, e.g., system A, system B and system C).

(3) To allow Single Sign-On for all clients (e.g., system A, system B and system C) using Keycloak, you need to integrate different platforms (e.g., system A, system B and system C) with Keycloak SAML IdP.

Once all your different platforms (e.g., system A, system B and system C) have been integrated with Keycloak SAML IdP, your user (e.g., example@example.com) only needs to use the same web browser to access all different platforms (e.g., system A, system B and system C).

That is,

once you logged in into system A with the credential of user example@example.com, you will be automatically logged in system B and system C as well using the same web browser.

Follow-up Comment: I knew that before, I tried for a different system and the same credentials, but it's still only logged in one application, not others.

Answer:

(1) How is SAML solving the cross domain single sign-on problem? provides valuable information on SAML SSO.

One popular answer provided by Xander:

It actually can be a cookie, because it needn't be associated with the service provider at all, only the identity provider. All either of the two service providers are going to do is make the authentication request to the identity provider, so the process for an unauthenticated user is going to be the same for sp.example1.com as it is for sp.example2.com.

However, when the first request is made from sp.example1.com and the user is redirected to sso.example3.com, the user will login to sso.example3.com and can then set a cookie for sso.example3.com.

Then, when the user visits sp.example2.com, it too will redirect the unauthenticated user to sso.example3.com, but this time, the browser will have a cookie to send along with the request from the last time the user visited sso.example3.com, even though that visit was initiated by a different service provider.

Thus, the cookie from sso.example3.com can identify the user as already authenticated, and the identity provider can continue the process of issuing an assertion for the user to sp.example2.com without requiring the user to complete the login workflow again.

(2) How is session cookie used to enable SSO? describes how to use the session cookie for SSO.

See the answer provided by jliu.