Netlify Identity integrating with Keycloak identity provider

Can I integrate Netlify Identity with my own identity provider. For example, if I have an SSO solution using Keycloak, can I integrate Netlify Identity with that? If so, is there a way to make my identity provider the only identity provider?


I think we’re talking about the same topic as OAuth authentication so let’s concentrate in that thread. I will update my answer there to be more specific in response to this question.

Not necessarily OAuth, but more Open IDC in this case. Here’s the scenario:

We have an existing infrastructure that uses Keycloak backed by an LDAP server. We have 4 separate (but related) Web sites that are password protected using Keycloak as a single sign-on (SSO) server. An Apache reverse proxy sits in front of the 4 sites and protects all routes to the Web sites using mod_auth_openidc. The specific architecture I’ve described above is not really important.

What’s important to us is that we’re currently storing our user information in an LDAP server that we manage that uses an SSO server that we also manage. So we’d prefer to keep that existing SSO infrastructure especially because we don’t want to store our user information in Netlify.

I suppose we could continue to deploy the reverse proxy in front of Netlify, but this doesn’t seem like the best approach. Better would be if you had an architecture whereby a different identify provider could be “plugged in.” And then yes, I suppose that identify provider would also need to handle authorization via OAuth.

So I guess my question was indeed somewhat about OAuth, but not primarily :wink:

Indeed - reverse proxying to us is an antipattern for which we don’t even provide tech support - if something breaks, we won’t be able to help unless traffic goes directly to us (we recommend that people proxy from us usually, though I understand that until we find you a solution this will not be practical for you). I’m not sure we can support your use case, but perhaps we can. Check out the below for some potential inspiration:

There are patterns that can gate your site based on your own IDC. We dp have folks who gate their site based on an okta setup, for instance. Best resource I’m aware of on that setup is in this presentation from one of our team members:

There’s an open source codebase for the (separate from the video above) okta implementation, here: which might provide some inspiration.