Enabling SSO for an application using keycloak

I am a newbie to cloudflare and keycloak. I have a single page application which uses keycloak to authenticate users. I have moved the application behind cloudflare and use the same keycloak used by application as Identity Provider to access the application. However, after I authenticate to keycloak, I get my application login page, but since I have already authenticated before accessing application through cloud flare, how can I enable single sign on so I don't have to login to application again. Looks like cloudflare terminates the keycloak session and it doesn't pass the keycloak access token required to sign in to the application. Appreciate any pointers on how to implement the solution

SuperHelpflare•10/29/25, 4:18 PM

Support AI

Based on the provided documentation, I can offer some guidance on implementing Single Sign-On (SSO) with Cloudflare and Keycloak.

Firstly, it's essential to understand that Cloudflare Access can integrate with Keycloak as an Identity Provider (IdP). You can configure Cloudflare Access to use Keycloak for authentication, and then use the obtained access token to authenticate with your application.

To achieve SSO, you'll need to configure Cloudflare Access to pass the Keycloak access token to your application. Here's a high-level overview of the steps:

1. Configure Keycloak as an IdP in Cloudflare Access: Follow the instructions in the Cloudflare documentation to add Keycloak as an IdP in Cloudflare Access. This will allow Cloudflare to authenticate users with Keycloak.
2. Configure Cloudflare Access to pass the access token: In the Cloudflare Access configuration, you need to specify how to pass the access token obtained from Keycloak to your application. You can use the --token--token flag with the

cloudflared

cloudflared

command to specify the token. For example:

cloudflared access tcp --hostname your-application.com --url localhost:8080 --token <keycloak-access-token>

cloudflared access tcp --hostname your-application.com --url localhost:8080 --token <keycloak-access-token>

Replace <keycloak-access-token><keycloak-access-token> with the actual access token obtained from Keycloak.

3. Configure your application to accept the access token: Your application needs to be configured to accept the access token passed by Cloudflare. You can use the

Authorization

Authorization

header to pass the token. For example:

Authorization: Bearer <keycloak-access-token>

Authorization: Bearer <keycloak-access-token>

Replace <keycloak-access-token><keycloak-access-token> with the actual access token obtained from Keycloak.

4. Validate the access token in your application: Your application needs to validate the access token passed by Cloudflare. You can use the Keycloak API to validate the token.

Here's an example of how you can validate the access token in your application using the Keycloak API:

curl -X POST \
  https://your-keycloak-instance.com/auth/realms/your-realm/protocol/openid-connect/token/introspect \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'token=<keycloak-access-token>&client_id=your-client-id&client_secret=your-client-secret'

curl -X POST \
  https://your-keycloak-instance.com/auth/realms/your-realm/protocol/openid-connect/token/introspect \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'token=<keycloak-access-token>&client_id=your-client-id&client_secret=your-client-secret'

Replace <keycloak-access-token><keycloak-access-token> with the actual access token obtained from Keycloak, and your-client-idyour-client-id and your-client-secretyour-client-secret with your Keycloak client credentials.

If the token is valid, Keycloak will return a response indicating that the token is active. Your application can then use this response to authenticate the user.

By following these steps, you should be able to implement SSO with Cloudflare and Keycloak, allowing users to access your application without needing to log in again after authenticating with Keycloak.

Please note that this is a high-level overview, and you may need to modify the configuration and code to fit your specific use case. Additionally, you should ensure that you are using the correct Keycloak API endpoints and authentication mechanisms for your specific Keycloak version.

Source:

* Cloudflare Access documentation
* Keycloak documentation
* Cloudflare Access and Keycloak integration

Sources

* Send SSO attributes to Access-protected origins with Workers - Cloudflare
* Set up dashboard SSO - Cloudflare Fundamentals docs
* Arbitrary TCP - Cloudflare Zero Trust docs

This is an AI generated response, it may not be 100% accurate. Please validate the output. You can ask followups by replying to this message or mentioning me.

umeshOP•10/29/25, 4:36 PM

@Leo Thanks for your response. Is there a way cloudflare can pass the access token from keycloak directly to my application as part of some header ? I know, I can get CF_Authorization token, but that's not the actual access token sent by keycloak which I can directly use in my application

umeshOP•10/29/25, 4:38 PM

@Leo Thanks. So I still need to authenticate to my application by logging in again

umeshOP•10/29/25, 4:43 PM

@Leo Sorry, I didn't get you. How can I use cf access the entire way ?

follow7light(Panduin)•10/29/25, 7:21 PM

It was painful when I did something similar with access, worker, cloudflareD, keycloak/kerberos with spnego. I got it to work to pass the token from access to the local kerberos auth. I guess here can be used a similar approach as long as you can have the saml from keycloak

Bello•10/30/25, 3:43 AM

To get true SSO, you’ve got two clean options:

Make Cloudflare Access and Keycloak federate, set Keycloak as the IdP in Cloudflare Access so Cloudflare handles login and passes user info headers to your app.

Or skip Cloudflare Access for auth and let your SPA talk directly to Keycloak, keeping your own SSO flow.
Mixing both without federation breaks token continuity, so pick one as the single IdP.

Enabling SSO for an application using keycloak

Similar Threads

Similar Threads

Similar Threads