Skip to content
Entando Keycloak Integration - Gives SSO capabilities
Branch: master
Clone or download
joewhite101 Merge pull request #5 from entando/EN-2527-default-groups
EN-2527 enabling default group:role to users coming from Keycloak
Latest commit a677de9 Jun 12, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
keycloak implementing login with standard OAuth flow May 10, 2019
LICENSE Initial commit Apr 17, 2019

Entando Keycloak Plugin

Keycloak Integration for Entando Core - Gives SSO capabilities and also has User Management through Keycloak.


What this plugin does

  • Enables SSO capabilities to an Entando Instance by using Keycloak.
  • Moves User Management to Keycloak.

What this plugin does not

This plugin doesn't come with Role and Group management, because Entando Core roles/groups model isn't compatible with Keycloak. That means that even with the same users across multiple Entando Instances, the role and group mappings have to be configured on each instance.


  • keycloak.authUrl: It's the Keycloak auth url (Example:
  • keycloak.realm: The keycloak realm (See
  • keycloak.clientId: The keycloak confidential client id
  • keycloak.clientSecret: The secret from the keycloak client
  • keycloak.publicClientId: The second keycloak client, this one must be public
  • keycloak.secureUris: [OPTIONAL] Use if you want to secure an endpoint. Works with wildcards, comma separated.
  • keycloak.authenticated.user.default.authorizations: [OPTIONAL] Use if you want to automatically assign group:role to any user that logs in, comma separated. Example: administrators:admin,readers


Installing on your project

First add the entando-keycloak-auth dependency to your pom.xml


<!-- </required-by dependency="org.keycloak:keycloak-admin-client"> -->
<!-- </required-by> -->


Then you have to open the to add keycloak configuration


Edit web.xml

And finally you have to change the configuration on web.xml from




Keycloak Setup

In order to setup keycloak to work with entando instance, please refer to the documentation here

Keycloak Standard Flow

To enable the standard flow to keep sessions between Entando instances, please refer to the documentation here

Known issues


There might be dependency issues with entando-plugin-jpinfinispan. In order to make it work along with this plugin, you have to add the following dependency to the pom.xml file.



If you run this following exception:

Caused by: java.lang.NoClassDefFoundError: org/apache/log4j/spi/LoggerFactory
	at java.lang.Class.forName0(Native Method)
	at java.lang.Class.forName(
	at org.owasp.esapi.util.ObjFactory.make(
	at org.owasp.esapi.ESAPI.logFactory(
	at org.owasp.esapi.ESAPI.getLogger(
	at org.owasp.esapi.reference.DefaultEncoder.<init>(
	at org.owasp.esapi.reference.DefaultEncoder.getInstance(
	... 82 more

It might also be a dependency conflict, to fix this issue, add the following dependency to your pom.xml file.



Some tests are being tested with a real Keycloak instance so, in order to test, you have to start the keycloak before.

$ docker-compose -f keycloak/docker-compose.yml up -d
$ mvn test
You can’t perform that action at this time.