Keycloak SSO: Single Sign-On Setup, OIDC Integration, and Troubleshooting

Why Keycloak?

Managing user authentication across multiple applications is complex. Keycloak provides a centralized identity layer:

SSO: Users log in once, gain access to all registered apps.
Protocol support: OIDC (OpenID Connect), OAuth 2.0, SAML 2.0.
User federation: Connect to existing LDAP or Active Directory.
Built-in MFA: TOTP, WebAuthn, and email verification out of the box.
Social login: Google, GitHub, Facebook, Microsoft with zero code.

Prerequisites

Docker or a Java 17+ server.
At least 2 GB RAM for Keycloak.
A web application to integrate (any framework/language).

Step 1: Deploy Keycloak

Docker (Development Mode)

docker run -d --name keycloak -p 8080:8080 \
  -e KEYCLOAK_ADMIN=admin \
  -e KEYCLOAK_ADMIN_PASSWORD=admin \
  quay.io/keycloak/keycloak:latest start-dev

Access the Admin Console at http://localhost:8080.

Production Mode

For production, use a PostgreSQL database backend and reverse proxy with TLS:

docker run -d --name keycloak -p 8080:8080 \
  -e KC_DB=postgres \
  -e KC_DB_URL=jdbc:postgresql://db-host:5432/keycloak \
  -e KC_DB_USERNAME=keycloak \
  -e KC_DB_PASSWORD=secret \
  -e KC_HOSTNAME=auth.yourdomain.com \
  -e KC_PROXY=edge \
  quay.io/keycloak/keycloak:latest start

Step 2: Create a Realm and Client

Create a Realm

Log into the Admin Console → click the dropdown (top-left, “master”) → Create Realm.
Name it (e.g., my-company). A realm isolates users, roles, and clients.

Register an OIDC Client

Go to Clients → Create Client.
Client ID: my-web-app
Root URL: http://localhost:3000
Valid Redirect URIs: http://localhost:3000/callback
Access Type: confidential (for server-to-server) or public (for SPAs).

Copy the Client Secret from the Credentials tab — your app will need it to exchange authorization codes for tokens.

Step 3: Integrate Your Application

OIDC Flow (Authorization Code)

Your application redirects the user to:

http://keycloak:8080/realms/my-company/protocol/openid-connect/auth
  ?client_id=my-web-app
  &redirect_uri=http://localhost:3000/callback
  &response_type=code
  &scope=openid profile email

After login, Keycloak redirects back with a code. Your backend exchanges the code for tokens:

curl -X POST http://keycloak:8080/realms/my-company/protocol/openid-connect/token \
  -d "grant_type=authorization_code" \
  -d "code=THE_AUTH_CODE" \
  -d "client_id=my-web-app" \
  -d "client_secret=YOUR_SECRET" \
  -d "redirect_uri=http://localhost:3000/callback"

Step 4: User Federation (LDAP/AD)

Go to User Federation → Add Provider → LDAP.
Connection URL: ldap://ad-server:389
Bind DN: cn=admin,dc=company,dc=com
Users DN: ou=Users,dc=company,dc=com
Click Test Connection and Test Authentication.
Click Sync All Users to import from AD.

Troubleshooting

Problem	Solution
”Invalid redirect_uri”	Add the exact URI (with protocol/port/path) in Client → Valid Redirect URIs
Token expired immediately	Check `Access Token Lifespan` in Realm Settings → Tokens (default 5 min may be too short)
LDAP users can’t login	Verify Bind DN credentials, user search base, and test connection in User Federation
”Client not found” error	Ensure client ID matches exactly (case-sensitive) and is in the correct realm
CORS errors from SPA	Add your app’s origin to Client → Web Origins (e.g., `http://localhost:3000`)

Summary

Use Realms to isolate tenants and Clients to register applications.
Use confidential access type for server-side apps, public for SPAs.
Connect to LDAP/AD via User Federation for enterprise directories.
Always set exact Valid Redirect URIs to avoid authentication errors.

Frequently Asked Questions

What is Keycloak and why use it for SSO?

Keycloak is an open-source Identity and Access Management (IAM) solution by Red Hat. It provides Single Sign-On (SSO) so users log in once and gain access to multiple applications. It supports OIDC, OAuth2, and SAML 2.0 protocols, user federation with LDAP/Active Directory, and includes built-in MFA, branding, and social login.

What is the difference between a Keycloak Realm and a Client?

A Realm is a namespace that manages a set of users, credentials, roles, and groups. Think of it as an isolated tenant. A Client is an application (web app, mobile app, API) registered within a realm that can request authentication. Each realm can have many clients.

Why do I get 'Invalid redirect_uri' when logging in via Keycloak?

Keycloak validates the redirect_uri sent by your application against the list of Valid Redirect URIs configured in the client settings. If the URI doesn't match exactly (including protocol, port, and path), Keycloak rejects it. Add the exact URI (e.g., http://localhost:3000/callback) in the client's settings.

How do I connect Keycloak to my company's Active Directory / LDAP?

In the Keycloak Admin Console, go to User Federation > Add Provider > LDAP. Enter the connection URL (ldap://ad-server:389), bind DN (e.g., cn=admin,dc=company,dc=com), and user search base. Keycloak will sync users from AD/LDAP, allowing them to log in with their existing corporate credentials.