기술 자료

Single sign-on

Set up single sign-on with OpenID Connect for your private cloud
읽는 시간 1분최근 업데이트: 하루 전

Overview

Streamline the management of users in Self-Hosted Deployment with single sign-on (SSO) and just-in-time (JIT) user provisioning. Self-Hosted Deployment implements SSO through an enterprise identity provider (IdP) using the OpenID Connect (OIDC) protocol. You can use any OIDC-compliant IdP.

Just-in-time provisioning

Keycloak's JIT provisioning mechanism provides these automated features:
  • Creation of the user account on the first sign-in. You don't need to manually create users. This automated step reduces administrative overhead and enhances the user experience.
  • Population of user attributes. When setting up SSO, you set predefined mappers in Keycloak to automatically populate, on the first sign-in, user attributes from an external IdP or from Keycloak's user store.
The JIT user provisioning process occurs behind the scenes, with a seamless user experience:
  1. Self-Hosted Deployment redirects, through the OIDC protocol, the new user to their IdP, to sign in.
  2. The IdP returns the user details to Keycloak.
  3. Keycloak sends these details to Self-Hosted Deployment in the form of claims.
  4. Self-Hosted Deployment uses these claims to create the user account on the fly.

Setup

The setup procedure differs, depending on the IdP vendor. This section provides guidance for Microsoft, with Entra ID, and for Okta. In Keycloak, the predefined unity realm stores all the settings and objects that are related to Virtual Private Cloud. When you open the Keycloak admin console, switch to the unity realm. To set up SSO for Self-Hosted Deployment, complete these tasks: To maintain security of the solution perform these tasks regularly: