SETUP KC BACKEND (example KEYCLOAK SPID)

Convention: this KC is exposed in localhost:8083 Convention: the Frontend KC is exposed in localhost:8081

• Setup a KC that uses SPID IdP see here
• Setup a client:

client id idm enabled ON client protocol openid-connect
acess type confidential
Root URL http://localhost:8083/idm Valid Redirect URIS (uris which are valid to be redirected to, they will be inserted in the url. If the produced redirect_uri is different from the one provided here, it will give an error) http://localhost:8081/* (yes, the * at the end should be there). This tells the backend KC to accept all the redirect urls coming from the frontend KC.
Admin URL http://localhost:8083/idm
Web Origins http://localhost:8083

Then click on top bar Credentials, select Client Authenticator = Client Id and Secret. Copy the secret. It will be necessary in the frontend.

Create mappers for all the data you want to import to the FE (example: there is a field called spid-email saved in the be keycloak, you want to import that field to the fe keycloak)

SETUP FRONTEND

• Create a realm (ex frontend)
• Authentication -> copy First Broker Login -> Call it Frontend - First Broker Login -> Delete everything except Create User if Unique (Required)

• Create Identity Provider of type: ** Keycloak OpenId Connect**
• Trust Email ON
• First Login Flow Frontend - First Broker Login created above
• Authorization URL http://localhost:8083/auth/realms/spid/protocol/openid-connect/auth
• Token URL http://localhost:8083/auth/realms/spid/protocol/openid-connect/token
• Logour URL http://localhost:8083/auth/realms/spid/protocol/openid-connect/logout
• Client Authentication Client secret sent as post
• Client ID idm
• Client Secret ********** the one copied above
• Create Mappers. The mapper from the be keycloak is exported in the field spid-email. You want to write it to the local field email
  

so:
user attribute name: is the local field where the data is stored
claim: is the field to look for that data from the be keycloak