Home
Welcome to the keycloak-psso-extension wiki!
After installing the extension on your keycloak instance, you need to do a few things. This configuration is based on the assumption that companion SSO Extension is being used. If you have built your own extension, things might vary here.
A client scope called urn:apple:platformsso needs to be created. It will be added to the client. It can be empty, that is, it doesn't need any mapper or claim on it.
Create a non-confidential OIDC client with these characteristics:
- the valid redirect uri must be
weblogin-sso://idp-login-redirect - add the client scope you created, called
urn:apple:platformsso. - we also recommend adding the
offline_accessscope, if it is not assigned already to this client. But add it is asoptional.
Note: If you use the offline_access scope, set the Access token lifespan under your client configuration to a higher value. This will determine how long an SSO session will last without re-authentication:
You find that configuration under Client > Your Client > Advanced.
On your Authentication menu, enable the Required Action so that users can see their authentication credentials on their Account menu:
You need to add the authenticator on your authentication flow so that Keycloak recognizes the authentication token send from the SSO Extension. You add it on your flow right under the Cookies authenticator:
This needs to be available from the endpoint above:
{
"authsrv": {
"apps": [
"<YOURTEAM>.no.uio.WebloginSSO"
]
},
"webcredentials": {
"apps": [
"<YOURTEAM>.no.uio.WebloginSSO"
]
}
}
You might want to change no.uio.WebloginSSO to whatever the bundle identifier of your SSO Extension. This will allow the SSO Extension to send requests to your Keycloak instance.