SSO between different applications: step 1 (same realm)

sortiz-hub · March 6, 2024, 1:11pm

Hi all,

We would appreciate support in assessing the feasibility of the following scenario - initially, on the same realm.

Main application (domain X): this application is the preferred access point for users, providing access through a menu to different independent applications.The application is configured for OIDC access (authorization code) using a client (ClientMainApp). The application receives a set of specific claims, defined in ClientMainApp.
Application 1 (domain Y): this is one of the different N independent applications in our ecosystem.
The application is configured for OIDC access (authorization code) using a client (ClientApp1). The application receives a set of specific claims, defined in ClientApp1.
Although the application is currently accessed directly, we are exploring the feasibility of accessing it through the main application.
The intended user experience is the following. Initially, the user accesses the main application (domainX), authenticates and the main app is launched. Once logged in, the user clicks the menu to open Application 1 (domainY), which is launched in a different tab/window without requiring the user
to authenticate and providing the application 1 of the set of specific claims defined in ClientApp1.

Considering token conversion is required, we approach the solution using token exchange (internal-internal) and we managed to convert the tokens. However, we haven’t achieved to launch Application 1 with the obtained token - we have serious doubts on whether this is feasible.

We would highly appreciate any hint or support in addressing this scenario.

Thanks in advance!

dasniko · March 6, 2024, 5:30pm

Don’t know why you want to use token exchange. The domains the clients reside on, don’t matter, as long as all of your clients use the same IdP URL. This way, SSO should work ootb.

sortiz-hub · March 6, 2024, 6:09pm

Thanks for your prompt response!

As I understand, you suggest that the scenario is feasible without token exchange if both clients share the same IDP. This is how it is configured but I would say it didn’t work.
Tomorrow I will test again…

How should the menu in main application launch Application1? Just invoking a GET call to Application 1 main URL?

Thanks again for your support!

dasniko · March 6, 2024, 7:13pm

What do you exactly mean by “launch Application”? What is “launchning”?
Just opening it in the browser?

embesozzi · March 6, 2024, 7:38pm

This might help clarify the topic:

sortiz-hub · March 7, 2024, 8:12am

Hi Dasniko,

According to the scenario we provided, the Application 1 is launched clicking from a menu in the main application. Therefore, this is not a standard direct login in Application 1 - but an access once the user is already authenticated in a different application (MainApplication).

Best regards,

Topic		Replies	Views
Cross-Realm Sign-On Getting advice authentication , oidc	0	396	May 22, 2023
Automatically authenticate user's browser using token-exchange Getting advice	0	63	December 9, 2024
Keycloak realm client users authenticating in another keycloak realm containg client apps Getting advice identity-brokering	0	695	May 22, 2020
Secure two apps with differente protocols (SAML and OpenID) Getting advice authentication	2	477	June 13, 2021
How to delegate authentification with roles exchange in custom token? Getting advice	0	356	October 24, 2020

SSO between different applications: step 1 (same realm)

Related topics