Keycloak OIDC Integration Setup Guide

In this guide, we will cover how to set up Descope as a federated Identity Provider (IdP) using OpenID Connect (OIDC) to implement authentication for applications that currently use Keycloak.

Configuring Keycloak SSO

Descope will act as the OIDC IdP so that Descope can be used for authentication while Keycloak remains the primary user management solution.

This will allow you to have the versatility and customizability of Descope Flows in the authentication process without having to migrate all users from Keycloak.

After installing Keycloak and running it on your local machine, navigate to the Identity Providers section of the menu.

Select Keycloak OpenID Connect to create a new identity provider. This is where the Descope Application information will be entered.

Now in the Descope Console, navigate to the Applications page and create a new application by pressing the create button in the top right. Make sure the new application that is being created is using OIDC.

After creating the Application in Descope, copy the Discovery URL from the Application settings and enter it as the Discovery endpoint in Keycloak.

The Client ID and Client Secret must also be configured. The Client ID is the Project ID of the Descope project you are using. The Client Secret is an Access Key you must create in the Descope Console on the Access Key page.

After creating the Access Key, make sure to copy it and save it somewhere as this is the only time you will be able to see it. After copying the access key, paste it into the Client Secret in Keycloak.

SSO is now enabled for Keycloak. Be sure to grant new users roles and permissions in Keycloak so that they can utilize the Keycloak console.

Get started by going to the Applications page in your Descope Console! You can read more about SSO Applications here.

If you have any other questions about Descope or our flows, feel reach to reach out to us!