Keycloak integration with an IDP and SSO

Question

My question is more theoretical at this point.

I have a use case where I would have to integrate my application (App 1) with Keycloak and Keycloak with an external identity provider. Keycloak is a mere broker in this case. There are other apps registered on that external IDP as well.

Scenario 1: User has neither logged into App 1 nor the IDP yet

When the user tries to access the App 1, its redirected eventually to the external IDP login form and post authentication, it would be redirected back to the app. This is a straightforward flow.

Scenario 2: User had already logged into the IDP

What happens when the user had already logged into the IDP, the session is active and now App 1 is accessed. Would it still show the login form or it would eventually redirect to the App 1 without prompting for the user name and the password?

Only if this is possible, true SSO is possible as not every app has to go through the same Keycloak (there could some apps directly integrated with the external IDP)

Answer 1

App redirects to the Keycloak for the auth usually. Keycloak detects valid IDP session (from the cookie) and it returns code/token directly without asking for the user credentials.

But as usuall "it depends". You may have weird "SSO" implementation in your app (e.g. direct grant flow), you may use iframe in your apps/login, you may have configured custom auth flow in the Keycloak, ... and all these things may break default SSO behaviour. But by default SAML/OIDC are SSO protocols.