SSO templates

Integrating Keycloak with Auth0 Using Skycloak SSO Templates

by

Introduction

In a previous article, I explained how to integrate Keycloak with Auth0 using Keycloak’s native Identity Brokering capabilities. That approach required manual configuration within the Keycloak Admin Console.

In this article, we will explore a more streamlined method — configuring similar integration using the SSO feature available in the Skycloak Console.

Skycloak enables organizations to leverage the full power of open-source Keycloak without the operational overhead of installing, maintaining, scaling, and securing production-grade deployments. Through predefined templates, the Skycloak Console simplifies complex configurations such as Identity Brokering while still relying on Keycloak’s native capabilities underneath.

In this guide, we will:

  • Use the OIDC template for Auth0
  • Configure Auth0 as an external Identity Provider
  • Automatically provision a Keycloak Identity Broker
  • Test authentication using the built-in Keycloak Account Console

Architecture Overview

This integration involves three core components:

  1. OIDC Client in Keycloak
    We will use the built-in Account Console client for simplicity.
  2. Keycloak Identity Broker
    Created via the Skycloak Console’s SSO feature.
  3. External Identity Provider (Auth0)
    An OIDC application registered in Auth0.

Keycloak will act as an Identity Broker, delegating authentication to Auth0 while maintaining control over user provisioning and session management.

Step 1: Configure the OIDC Application in Auth0

From the Auth0 Dashboard:

  1. Navigate to Applications
  2. Click Create Application
  3. Select Regular Web Application
  4. Click Create

Configure the Following Settings

You will need to define:

Allowed Callback URL

https://<your-keycloak-hostname>/realms/<your-realm>/broker/auth0/endpoint

⚠️ This value must exactly match the Redirect URL displayed in the Skycloak SSO template.

Allowed Logout URL

https://<your-keycloak-hostname>/realms/<your-realm>/broker/auth0/endpoint/logout_response

Allowed Web Origin

https://<your-keycloak-hostname>

Finally, copy the following values — they will be required during broker configuration:

  • Client Secret
  • Client ID

Step 2: Configure the Identity Broker Using Skycloak Console

Add provider link on the right panel

Now we configure Keycloak’s Identity Brokering via the Skycloak Console.

  1. Select your cluster
  2. Select the appropriate realm
  3. In the left menu, click SSO
  4. Click Add Provider

You will see a rich list of predefined templates.

Select:

Auth0 (OIDC Template)

Provide Required Configuration

You will need:

  • Client ID (from Auth0)
  • Client Secret (from Auth0)
  • OIDC Discovery URL

The Discovery URL format is typically:

https://<your-auth0-tenant>.auth0.com/.well-known/openid-configuration

If region-specific:

https://<tenant>.<region>.auth0.com/.well-known/openid-configuration

Click Auto-Detect to fetch endpoints automatically.

Once completed:

  • Click Test Connection
  • Ensure the connection succeeds
  • Click Save and Enable

At this point, Skycloak creates a fully configured Identity Provider inside Keycloak.

More details on OIDC discovery endpoint is available here.

Auth0 template at Skycloak Console

Step 3: Attribute Mapping During First Login

When a user logs in via Auth0 for the first time, Keycloak can:

  • Create a local user
  • Map attributes
  • Assign roles
  • Link accounts

To configure attribute mapping:

Navigate to the Keycloak Admin Console

Identity Providers → auth0 → Mappers → Add Mapper
You can define:

  • Username mapping
  • Email mapping
  • Custom claims mapping etc.

Since my previous article mentioned in the introduction has more details on attribute mapping, it is not repeated here.

Step 4: Test the Integration

Open the Keycloak Account Console:

https://<keycloak-hostname>/realms/<realm-name>/account/

You should now see:

Sign in with Auth0

Authentication Flow

  1. User clicks Sign in with Auth0
  2. Browser redirects to Auth0
  3. User authenticates at Auth0
  4. Auth0 redirects back to Keycloak
  5. Keycloak creates the user (on first login)
  6. Session is established

Keycloak remains the central IAM authority while delegating authentication to Auth0.

What Makes the Skycloak Approach Different?

Traditionally, configuring Identity Brokering in Keycloak requires:

  • Manual endpoint configuration
  • Careful validation of redirect URLs
  • Increased risk of misconfiguration

The Skycloak SSO template approach provides:

  • Predefined provider templates
  • Automatic endpoint detection
  • Built-in validation
  • Reduced configuration errors
  • Faster onboarding of external IdPs

This is particularly valuable in enterprise environments managing multiple external Identity Providers.

Summary

In this article, we demonstrated how to configure Identity Brokering between Keycloak and Auth0 using the Skycloak Console’s SSO template.

Key takeaways:

  • Auth0 acts as the external Identity Provider.
  • Keycloak acts as the Identity Broker.
  • Skycloak simplifies broker configuration using templates.
  • The underlying implementation still relies on Keycloak’s native Identity Brokering capabilities.

This approach enables organizations to maintain centralized IAM control while leveraging external authentication providers in a clean, maintainable, and production-ready manner.

About Skycloak

If you’re new to Skycloak, visit the Skycloak Getting Started Guide to learn more and securing your Keycloak deployments.

Skycloak is a fully managed Keycloak platform hosted in the cloud. It enables organizations to leverage the power of open-source Keycloak IAM without the operational overhead of installing, maintaining, and scaling production-grade Keycloak environments—delivered securely and cost-effectively.

Leave a Comment

© 2026 Skycloak. All Rights Reserved. Design by Yasser Soliman