SSO for Sobrado Partners as Id-Clients#

Sobrado is offering a Single Sign-On (SSO) solution for its partners who wants to use Sobrado as an IdP to some of their services. This document provides a technical checklist for the implementation of SSO.

📐 Architecture#

The SSO solution is based on the OpenID Connect v1.0 protocol and implements «Identity Brokering». We use a standard Keycloak server as our Identity Provider (IdP).

• Our Partner’s Service using SSO is Client to our Keycloak server.
• Our Keycloak is the Identity Providers to our Partner’s Service.

On the Partner’s side, the Client needs to define which users are allowed to access whicht function on their side.

Architecture Diagram#

graph TD
    subgraph Partner's Infrastructure
        PartnerService[Partner's Service]
    end
    
    subgraph Sobrado Infrastructure
        Keycloak[Sobrado Keycloak IdP]
    end

    Login(Sobrado Login) -->|Authenticates| Keycloak

    Keycloak  -->|Authenticates| PartnerService
   



    


style Keycloak fill:#e95a0c,color:#fff
style PartnerService fill:#753c52,color:#fff
    

✏️ Things needed#

Sobrado needs from Partner#

Sobrado will add the Partner’s Service URL aka Valid redirect URIs

Partner will get from Sobrado#

Our Partner will get:

• the Standtart .well-known URL https://zurix.sobrado.ch/realms/sobrado/.well-known/openid-configuration
• a clientID
• a client Secret(or other means of Authentication)

🚧 Implementation#

Typically, the implementation of SSO Clients is straigt forward and can be tested quickly on any stage.