SSO with Keycloak and Azure Active Directory

Question

We have integrated keycloak with Azure Active Directory and integrated it with a few applications.

We have a few applications that are directly integrated with Azure Active Directory. Is there an approach I can follow to make a person logged in to one application to be signed in all the other applications irrespective of the authentication provider used (keycloak or Azure AD)?

Normally I'll be logged into all applications integrated with keycloak if I signin into one application integrated with keycloak and vice-versa with Azure AD.

Answer 1

Your requirement can be fulfilled with the app service feature by leveraging the token store and authorization behavior of the configured authentication providers for the apps configured. But only tokens received from keycloak can be forwarded to Azure AD for authentication purposes and further sign in respectively to all apps registered with Azure AD. The reverse is not possible as keycloak doesn’t has the ability to forward the sign in token request received for the application configured back to Azure AD for authorization.

You will have to enter the REST API code for signing in and out of a session accordingly by incorporating the below likewise code in your environment.

<a href="/.auth/login/aad">Log in with the Microsoft Identity Platform</a>
<a href="/.auth/login/facebook">Log in with Facebook</a>
<a href="/.auth/login/google">Log in with Google</a>
<a href="/.auth/login/twitter">Log in with Twitter</a>
<a href="/.auth/login/apple">Log in with Apple</a>

Please find the below documentation for an approach on forwarding the authentication tokens from Keycloak to Azure AD for access authorization: -

https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization

https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-customize-sign-in-out

Thanking you,