[keycloak-user] Best way to do SSO

Romain Rhieu romain.rhieu at gmail.com
Thu Jul 5 03:26:48 EDT 2018


Hi,

I am currently working on setting up keycloak to manage the authentication
and authorization of a huge application pool.

I have a series of applications that have both public and protected areas.
So, I need to be able to identify a user that lands on a public url in
order to show personalized content.

Google offers similar functionality :
- Go to https://mail.google.com
- Login
- Then go to https://www.youtube.com
- You see personalized content on a page that is obviously public.

I'm wondering about the best way to do SSO. Reading the documentation, I
see two hypotheses:

1/ *Use Keycloak as basis*

Keycloak has to be customized in order so the session cookie becomes
available to whole domain (.example.com instead of keycloak.example.com)

Applications must store cookie value in session and deal with session
management.

However, I read in the documentation that I should not rely on this cookie
directly because its format can change and it’s also associated with the
URL of the Keycloak server, not my application.



2/ U*se JS adapter to use "check-sso" feature*

At each request on my application, when the page is loading, I call the
function "check-sso". If the user is already authenticated to Keycloak, I
refresh the page and create a user session on my application.

Do you think these hypothesis are good ?

Do you know a better way to do SSO?

Thanks in advance


More information about the keycloak-user mailing list