Deploying Keycloak IdP and FusionAuth (OIDC)


This guide shows how to configure Keycloak as an Identity Provider (IdP) with FusionAuth.

To begin, please ensure you have administrative access to both your Keycloak and FusionAuth environments. The following high-level milestones will be reached through the course of our deployment.

Overall Objectives:

  1. Configure the FusionAuth Client (SP) within Keycloak

  2. Configure Keycloak as an Identity Provider (Id) within FusionAuth

Create an OIDC Client in the Keycloak Console:

Start by accessing the administrative console for your Keycloak environment. It is important to note that within your Keycloak deployment there are ‘realms’. Each realm will have a unique Federation / OIDC configuration. Select the realm of your choice for this integration.

  1. Once you have accessed the Keycloak Realm of your choice, you will need to do two things. First take note of the realm name as listed in the Name setting, in the example it is kevtur. This is a case-sensitive value.

Second, click on the Clients section of the navigation bar.



It is critical you keep in mind that the Realm Name is case-sensitive and must be taken from the Name setting as shown in the screenshot above. This value will be used in multiple URLs and is case-sensitive in these URLs too.

  1. Type in the name of the Client ID that you want, make sure the openid-connect option is selected, and then click Save.
  1. Set the “Access Type” to “Confidential”

  2. Scroll down a bit and insert the value of the “Valid Redirect URI’s” to “*”

  1. Scroll down a bit further and click “Save”

  2. Once saved, scroll back to the top of the page and select “Installation”

  1. Once selected, then choose the option of “Keycloak OIDC JSON”
  1. The following will get displayed and used later with the FusionAuth Config
  1. Finally, before you leave the “client” definition page, make sure you enable the “HYPR” Authentication options:

Now Log into your FusionAuth Server to create the Keycloak IdP data:

  1. Start from the FusionAuth Management Console select “Settings” then “Identity Providers”.
  1. From the top right click the “+” sign
  1. From the popup window select the “OpenID Connect” option.
  1. Fill in the values for the “Name”, “Client ID”, “Client Secret” from step 8, the “Issuer”.Change the “Button Text” to something that you would like to see on the login screen when accessing FusionAuth:
  1. Then scroll down to the bottom of the form and add 1) “email openid profile” as three words separated by spaces, 2) toggle the “FusionAuth” app to on and 3) click “Save”.
  1. Now when you try to log into, say, your FusionAuth Administration Console, you will see the following login screen
  1. Select the “OpenID Connect (With HYPR)” and you will then get sent on to the following login page. Type in your email address or userID and select “Continue”