Identity Providers

Connect your applications to external identity providers and enable Single Sign-On (SSO) across your organization. Skycloak simplifies the integration of popular identity providers like Google, Microsoft, GitHub, and enterprise systems like Active Directory and SAML providers.

Note: This page covers identity providers for your application’s end users. For team member authentication, see Workspace SSO.

Overview

Identity Providers in Skycloak enable you to:

Enable Single Sign-On (SSO) across all your applications
Connect social logins like Google, Facebook, and GitHub
Integrate enterprise identity with Azure AD, Okta, and Active Directory
Support SAML and OIDC protocols for maximum compatibility
Map user attributes from external sources
Link existing accounts automatically or manually
Configure conditional authentication based on identity source

Why Use Identity Providers?

For Your Users:

One password for everything (SSO)
Use existing accounts they trust
Faster registration and login
No more password fatigue

For Your Organization:

Centralized user management
Enhanced security with enterprise MFA
Reduced support tickets
Compliance with corporate policies
Simplified user provisioning

Prerequisites

An active Skycloak cluster
A configured realm
Admin permissions in your workspace
Credentials from your identity provider (Client ID, Secret, etc.)

Getting Started

Accessing Identity Providers

Navigate to Identity Providers from your dashboard
Select your cluster and realm
View configured providers or add new ones

Identity providers list Description: Shows the identity providers management interface with:

Cluster and realm selectors at the top
“Add Provider” button with dropdown showing provider categories
List of configured providers showing: Google (enabled), Azure AD (enabled), GitHub (disabled)
Each provider card shows: Logo, Name, Status toggle, Users count, Last sync time
Quick actions: Edit, Test Connection, Delete
Provider statistics: Total users, Success rate, Last 7 days activity Focus on: Overview of multiple configured providers with status indicators

Quick Setup with Provider Templates

Using Provider Templates

Skycloak provides pre-configured templates for popular providers:

Click “Add Provider”
Choose from templates:
- Social Providers (Google, Facebook, GitHub, etc.)
- Enterprise (Azure AD, Okta, Auth0, etc.)
- Standard Protocols (OIDC, SAML 2.0)

Provider template gallery Description: Shows provider selection interface with:

Three category tabs: Social, Enterprise, Protocols
Grid of provider cards with logos and names
Popular providers highlighted with “Recommended” badge
Each card shows: Provider logo, Name, Protocol type (OIDC/SAML), Setup time estimate
Search bar to filter providers
Quick setup indicators: “5-minute setup”, “Guided configuration” Focus on: Visual provider selection with clear categorization

Setting Up Google SSO

Step-by-Step Google Configuration

Let’s walk through setting up Google as an identity provider:

1. Create Google OAuth Application

First, set up your app in Google Cloud Console:

Go to Google Cloud Console
Create a new project or select existing
Enable Google+ API
Create OAuth 2.0 credentials

2. Configure in Skycloak

Select Google template
Enter your credentials:
- Client ID from Google
- Client Secret from Google
- Leave redirect URI as generated

Google provider configuration Description: Shows Google SSO setup form with:

Provider basics section: Alias (google), Display Name (Continue with Google)
Google credentials section: Client ID and Client Secret fields with paste buttons
Redirect URI displayed with copy button: https://your-cluster.skycloak.io/realms/your-realm/broker/google/endpoint
Advanced settings collapsed section
Sync settings: Import users (toggle), Update profile (toggle)
Mappers configuration link
Test Connection and Save buttons Focus on: Simple credential entry with helpful copy/paste features

3. Configure Advanced Settings

Recommended Settings:

Default Scopes: openid email profile
Store Tokens: Enable for token refresh
Trust Email: Enable if Google verifies emails
Sync Mode: Import users on first login
Link Accounts: Auto-link by email

Description: Shows expanded advanced settings with:

Authentication settings: First broker flow, Post broker flow dropdowns
Token settings: Store tokens, Accept token from URL toggles
Discovery settings: Discovery endpoint URL override option
Request parameters: Additional parameters key-value editor
UI customization: Button text, Icon override options
Sync options: Force sync, Sync on login checkboxes
Account linking: Strategy dropdown (Email, Username, None) Focus on: Detailed configuration options with helpful tooltips

Setting Up Azure AD (Microsoft)

Enterprise SSO with Azure Active Directory

Connect your Microsoft/Office 365 organization:

1. Register Application in Azure

Go to Azure Portal > Azure Active Directory
Register new application
Configure redirect URIs
Create client secret
Note Tenant ID

2. Configure in Skycloak

Description: Shows Azure AD setup with:

Provider type selector showing “Microsoft” selected
Tenant configuration: Tenant ID field, Multi-tenant toggle
Application credentials: Application ID, Client Secret
Microsoft Graph permissions checklist
Group sync options: Import groups, Group filters
User attribute mapping preview
Domain verification section for automatic user assignment
Test with specific user email option Focus on: Enterprise-specific options and tenant configuration

3. Attribute Mapping

Map Azure AD attributes to Keycloak:

given_name → firstName
family_name → lastName
email → email
groups → groups (with transformation)

Setting Up SAML Providers

SAML 2.0 Configuration

For enterprise SAML identity providers:

1. Basic SAML Setup

Choose SAML 2.0 template
Configure endpoints:
- Single Sign-On URL
- Single Logout URL (optional)
- Metadata URL or upload file

Description: Shows SAML configuration interface with:

SAML URLs section: SSO URL, SLO URL, Metadata URL fields
Or upload metadata XML file option
Certificate configuration: Upload or paste signing certificate
NameID format dropdown: Email, Persistent, Transient options
Signature and encryption toggles
Attribute statement mapping table
SAML response validation options
SP-initiated and IdP-initiated flow toggles Focus on: Technical SAML configuration with validation indicators

2. Advanced SAML Options

Security Settings:

Want AuthnRequests Signed
Want Assertions Signed
Want Assertions Encrypted
Force Authentication
Force POST Binding

Identity Provider Mappers

Customizing User Import

Transform and enrich user data during import:

Attribute Mappers

Map external attributes to Keycloak user properties:

Create new mapper
Select mapper type:
- Attribute Importer
- Hardcoded Attribute
- Attribute Template
- Role Importer

Description: Shows mapper creation interface with:

Mapper name and type selector
Source attribute path (JSON path or claim name)
Target user property dropdown
Transformation options: To lowercase, Extract regex, Default value
Test mapper with sample data section
Preview of mapped value
Sync mode: Import, Force, Inherit Focus on: Visual attribute mapping with transformation preview

Common Mapping Scenarios

Profile Enrichment:

External Claim → Keycloak Attribute
picture → profileImage
locale → preferredLanguage
department → customAttribute.department
manager → customAttribute.managerId

Role Mapping:

groups contains "admin" → realm role "administrator"
groups contains "developers" → client role "developer"

Account Linking

Linking Strategies

Control how external accounts link to existing users:

Automatic Linking:

By email (most common)
By username
Custom attribute matching

Manual Linking:

User initiates from account console
Admin links accounts
Verification required

Description: Shows account linking configuration with:

Linking strategy selector: Automatic, Manual, Disabled
Automatic options: Match by email, username, or custom attribute
Verification requirements: Email verified, Admin approval checkboxes
Conflict resolution: Create new, Update existing, Fail options
Existing user has priority toggle
Account linking flow designer button Focus on: Clear linking strategy options with security controls

First Login Flow

Configure what happens when users first login via identity provider:

Review profile - Let users confirm/update imported data
Verify email - If not verified by provider
Set username - If not provided by provider
Accept terms - Show terms of service
Assign roles - Grant default permissions

Testing Identity Providers

Connection Testing

Verify your configuration works correctly:

Click “Test Connection”
Choose test method:
- Quick test (verify endpoints)
- Full test (complete login flow)
- User test (specific account)

Description: Shows test interface with:

Test type selector: Quick, Full, User-specific
Test account email input (for user-specific)
Start Test button
Test progress steps: Initialize, Redirect, Authenticate, Callback, Token Exchange
Success/failure indicator per step
Response preview showing returned claims
Error details if test fails
Save test results option Focus on: Step-by-step test validation with clear results

Multi-Provider Setup

Configuring Multiple Providers

Offer users choice of login methods:

Provider Priority:

Set display order
Configure default provider
Hide providers per application
Conditional display based on email domain

Description: Shows login page preview with:

Traditional username/password form at top
“Or continue with” separator
Row of social login buttons: Google, Microsoft, GitHub, LinkedIn
Enterprise SSO section with “Login with Company SSO” button
Provider order drag-and-drop handles in admin view
Preview updates in real-time
Mobile responsive preview toggle Focus on: User-friendly multiple provider presentation

Provider Selection Strategies

Domain-based Routing:

@company.com → Azure AD
@gmail.com → Google
Others → Username/password

Home Realm Discovery:

Email input first
Auto-detect provider
Redirect accordingly

Security Best Practices

Provider Security

Credential Management:
- Store secrets securely
- Rotate credentials regularly
- Use environment-specific credentials
- Never commit secrets to code
Token Handling:
- Validate all tokens
- Check token expiration
- Store tokens securely
- Implement token refresh
User Verification:
- Verify email addresses
- Check account status
- Validate required attributes
- Audit provider access

Account Security

Preventing Account Takeover:

Require email verification
Implement account linking confirmation
Monitor for suspicious linking patterns
Use risk-based authentication

Troubleshooting

Common Issues

“Invalid redirect URI” error:

Copy exact redirect URI from Skycloak
Add to provider’s allowed redirects
Check for trailing slashes
Verify HTTPS in production

Users not importing:

Check mapper configuration
Verify required scopes
Review provider permissions
Check first login flow

Attributes not syncing:

Verify claim names match
Check mapper syntax
Review scope permissions
Test with provider’s token debugger

Login loops:

Clear browser cookies
Check provider session settings
Verify redirect URI configuration
Review CORS settings

Provider-Specific Guides

Social Providers

GitHub:

Requires email scope explicitly
Organization membership available
Team synchronization possible

LinkedIn:

Limited profile data
Requires special approval for email
Good for professional apps

Twitter/X:

Email not always provided
Handle-based identification
Limited attribute availability

Enterprise Providers

Okta:

Full OIDC compliance
Group synchronization
Custom attributes support
SCIM provisioning available

Auth0:

Universal login support
Custom database connections
Rules for transformation
Extensive marketplace

Ping Identity:

Enterprise federation
Advanced authentication policies
Risk-based authentication
Full SAML/OIDC support

Performance Considerations

Optimization Tips

Cache provider metadata when possible
Implement lazy loading for user attributes
Use batch synchronization for large directories
Configure appropriate timeouts
Monitor provider API limits

Compliance and Privacy

Data Protection

GDPR Considerations:

Minimal data collection
User consent for data sharing
Right to deletion
Data portability

Audit Requirements:

Log all authentication events
Track provider access
Monitor data synchronization
Regular access reviews

Advanced Features

Conditional Authentication

Create dynamic authentication flows:

Require MFA for external users
Additional verification for new providers
Risk-based step-up authentication
Geographic restrictions

Identity Brokering

Chain multiple identity providers:

Organization IdP → Skycloak → Applications
Federated multi-organization access
Partner integration scenarios

Workspace SSO vs Realm Identity Providers

Understanding the difference:

Realm Identity Providers (This Page)

Purpose: Authentication for your application’s end users
Configured in: Individual realms within your clusters
Used by: Your customers/users accessing your applications
Example: Adding Google login to your customer-facing app

Workspace SSO

Purpose: Authentication for your team members
Configured in: Workspace security settings
Used by: Your team accessing Skycloak dashboard
Example: Team members using corporate Azure AD to access Skycloak
Available on: Business and Enterprise plans
Learn more: Workspace SSO Documentation

Related Features

Workspace SSO - Configure SSO for team members
User Management - Manage imported users
Applications - Configure SSO for apps
Setting Up Social Login - Detailed social provider guide

Next Steps

Test your identity provider configuration
Configure User Management for imported users
Set up Applications to use SSO
Implement Multi-factor Authentication for added security
Customize your Login Experience

Branding & Customization Insights & Analytics