Drupal Keycloak integration - how to configure and what benefits it brings?

One login for all company systems, automatic synchronization of users between different tools, and access management without involving developers with each change. These are examples of the benefits of integrating Drupal with Keycloak. In the article, I will show how easy it is to set up the integration of these tools and why this solution saves HR and IT departments a lot of time. Here I use information from my film on the Nowoczesny Drupal channel.

In this article:

• The problem of multiple systems and user accounts in companies
• What is Keycloak and why should you choose it?
• Benefits of integrating Drupal with Keycloak
• How to set up Drupal integration with Keycloak?
• A demo of how the system works in practice
• Expandability and customization options
• Time and financial savings for companies
• Support in integrating Drupal with Keycloak

The problem of multiple systems and user accounts in companies

Most companies today have several or a dozen systems - intranets, content management solutions, marketing automation tools, CRMs, HR systems, task management systems, and communication tools. Each of these requires a separate user account.

When hiring a new employee, the Human Resources department must create accounts for them in several places, and when they are fired, they must remember to deactivate or delete those accounts. The IT team, on the other hand, deals with resetting passwords on a daily basis, because employees have different passwords for different systems and forget them.

Companies often lack central control over user access and accounts. If an organization has tens to thousands of employees, this can be a major problem. It is worth considering how to solve it.

What is Keycloak and why should you choose it?

Keycloak is an open source identity management system that solves the problems described above. The program allows you to centrally manage all user accounts in your company. An employee logs in once and has access to all systems to which they are authorized.

The HR department can manage access from one place, and the IT department no longer has to spend time troubleshooting passwords or logins in each system separately - it only deals with this one user management system.

Alternative solutions on the market

There are many alternative identity management solutions available on the market. Let's take a look at a few of them. Microsoft Entra ID (formerly Azure Active Directory) from Microsoft is one of the most popular enterprise solutions, costing about $6 per user per month in the basic plan. Microsoft Entra ID offers integration with the Microsoft ecosystem, but it comes with vendor lock-in and increasing costs as the number of employees grows.

Okta is another popular SaaS solution that specializes in identity and access management. Like Auth0 (now part of Okta), it offers packages starting at a few hundred dollars a month for a few thousand active users. These platforms are feature-rich, but their costs can quickly escalate in larger organizations.

Google Workspace also provides Single Sign-On features, but is more focused on Google applications and may not cover all the needs of companies using a variety of systems.

It is also possible to build your own solution based on LDAP (Lightweight Directory Access Protocol), but this requires significant technical expertise and developer resources.

Advantages of Keycloak  

Keycloak application stands out as an attractive alternative because, as an open source system, it is free - we only pay for hosting and possible technical support. Like Drupal, we can install it on any server, in-house or in an external cloud. The key advantage is that there are no licensing costs per user - whether we have 1,000 or 5,000 employees, infrastructure costs remain constant and do not increase linearly as the organization grows.

Benefits of integrating Drupal with Keycloak

Integrating Drupal with Keycloak provides several significant benefits to the organization.

1. No licensing costs - we don't pay for users, only for hosting, which is true for both Drupal and Keycloak.
2. We have full control over user data, which is important due to security and GDPR obligations.
3. We have the ability to fully customize the tool to meet the needs of the company, because we are not limited by ready-made solutions. We can customize the system as we want, because both software are open source.

If the company already has systems on Drupal - for example, an intranet or a website - integrating Keycloak with these systems is very easy.

How to set up Drupal integration with Keycloak?

We need several elements to connect Drupal with Keycloak. On the Drupal side, you need the Keycloak module and the OpenID Connect module, which are the foundation of the integration. Keycloak can be installed locally using Docker, which is the fastest way to test the solution.

Configure Keycloak

In Keycloak, we need to configure the so-called realm - a space for our organization. Within the realm settings, we define client details, addresses for redirects, and other security parameters. We can also add test users with basic details like first name, last name, and email address.

Configure Drupal

In Drupal, we go to the OpenID Connect module configuration and check the Keycloak option. We enter the redirect URL, which needs to be copied to the Keycloak settings, client ID, and client secret, which we copy from the settings from Keycloak. We also enter the Keycloak base URL and the Keycloak realm name.

A demo of how the system works in practice

Once the Drupal Keycloak integration is set up, the login process looks very simple. We click the login button on the Drupal site, and we are redirected to Keycloak.

After logging into Keycloak, we are automatically redirected back to Drupal site, already as a logged-in user.

Automatic synchronization is key - if a user exists in Keycloak, but doesn't yet have an account in Drupal, the system automatically creates a new account when the user first logs in. The Drupal administrator can see in the panel that the new account has been created without their intervention. This allows accounts to be managed centrally in Keycloak, and users can log into the intranet or other Drupal instances without having to manually create accounts on each system separately.

Expandability and customization options

The Drupal Keycloak integration we showed is just a basic setup. Both systems can be greatly expanded and reconfigured on both sides to better fit the solution to the needs of a particular company.

Synchronizing additional user fields

One of the most commonly used options is to add custom fields to a user's profile in Keycloak and sync those values to Drupal. For example, you can add fields such as first name, last name, phone number, position, or department. A key advantage is automatic synchronization - if a phone number is changed in Keycloak, that change will automatically synchronize with Drupal and other connected systems. This way, the administrator doesn't have to manually update user data in each system separately. All it takes is one change in Keycloak, and all connected applications will receive the updated information.

Enhance security - two-factor authentication

To make the entire login system even more secure, you can add two-factor authentication(2FA). Keycloak offers built-in support for various 2FA methods, including:

• mobile apps like Google Authenticator or Microsoft Authenticator,
• SMS codes,
• FIDO2 dongles,
• push notifications.

The implementation of 2FA significantly increases the security level of an organization, which is especially important when accessing sensitive corporate data or business-critical systems.

Integration with other company systems

Keycloak can be connected to many different systems used in a company—not just Drupal. It is a popular solution, and often, ready-made modules, plug-ins, or libraries for various applications are available so you can easily integrate with Keycloak.

Examples of systems that can be integrated with Keycloak:

• CRM (Customer Relationship Management) systems,
• project management tools (Jira, Confluence),
• team communication applications (Mattermost, Rocket.Chat),
• e-learning and training systems,
• analytical and business intelligence tools,
• corporate mobile applications.

Role and permission mapping

An advanced capability is to configure role mapping between Keycloak and Drupal. You can create roles in Keycloak (e.g. Marketing Manager, Sales Representative, HR Specialist) and automatically assign appropriate permissions in Drupal based on those roles. This way, a new employee is automatically granted access to the appropriate sections of the intranet or other systems based on their position.

Capabilities for different types of systems

If a company has content management solutions on Drupal(websites or intranets), the integration is similar to what we showed in the demonstration. However, Keycloak is flexible enough that it can also be integrated with systems written in other technologies:

• web applications in PHP, Java, .NET, Python,
• mobile applications on iOS and Android,
• legacy systems with SAML or LDAP support,
• microservices and applications based on container architecture.

Flexibility of configuration

The advantage of open source solutions is that they can be fully customized. You can customize the look and feel of the Keycloak login page to match your corporate identity, configure custom authentication flows, or integrate with existing Active Directory or LDAP systems.

This flexibility allows you to create a solution perfectly tailored to your organization's specific needs, without the limitations imposed by off-the-shelf commercial identity management systems.

Time and financial savings for companies

Integrating Keycloak with Drupal or Open Intranet brings tangible savings to the company.

• No licensing costs per user - no need to pay $5-10 per month for each new employee in the company.
• Better security through central access control in the company - we manage all access from one central Keycloak system.
• Easy scalability when adding new systems - if we integrate new applications or introduce new tools in the organization, we can also connect them to Keycloak and don't have to worry about adding user accounts.

Specific benefits for departments

For HR department, this means no more manual creation and deletion of accounts in multiple systems when an employee is hired or fired. For the IT department, it means far fewer requests related to password resets and problems logging into various applications.

Employees gain convenience - one login gives them access to all the company tools they need to work. They don't have to remember many different passwords or waste time logging into more systems.

Support in integrating Drupal with Keycloak

If you are considering implementing a centralized account management system for your company or want to integrate existing systems, we offer full support in this area. Our Drupal agency will help plan the architecture and configure Keycloak with Drupal and other systems used in your organization. We can migrate existing users and provide support in maintaining your systems, both Keycloak and Drupal systems, like intranets or CMS.