Abdullah Fathi

www.fotia.com.my

Identity and Access Management Solution

Introduction

  • Open Source identity and access management solution
  • Started in 2013, broad adoption since 2015
  • Vital Community with 470+ Contributors 3.3k+ Forks
  • Very robust, good documentation, many examples
  • SSO solution designed for Modern Applications, APIs and Services
  • Web Based GUI

Why Keycloak?

  • Delegate your security
  • No need to store users, passwords
  • Deal with login forms and other related forms
  • Single Sign On (SSO)

OpenID Connect / OAuth 2.0

  • JSON
  • Simple
  • Bearer Token

 

When?

  • Default
  • SPA, Mobile
  • REST services

SAML v2

  • XML
  • More Mature
  • More Complex

 

When?

  • Monoliths
  • Apps with SAML Support
  • If you have some fancy requirements

User Storage SPI

FEATURES

1) SSO

  • Single Sign On
  • Single Sign Out
  • Maintain a single session across multiple applications

2) Identity Brokering & Social Login

  • Enable login with Social Network
  • Authenticate user with existing OpenID Connect or SAML 2.0 Identity Providers

3) User Federation

  • Built-in support to sync users from existing LDAP or Active Directory servers
  • Can also implement your own provider if you have users in other stores such as RDBMS

4) Client Adapters

  • Adapters available for a number of platforms and programming languages
  • Can also use any OpenID Connect Resource Library or SAML 2.0 Service Provider library

5) Admin Console

  • Centrally manage all aspects of the keycloak server
  • Enable/Disable various features
  • Configure identity brokering and user federation
  • Create and manage application services and define fine-grained authorization policies
  • Manage users including permissions and sessions

6) Account Management Console

  • User can manage their own accounts:
    • Update Profile
    • Change password
    • Setup 2FA
  • Manage session
  • View history account
  • Link account with additional provider

7) Standard Protocols

  • Keycloak is based on standard protocols and provide support for:
    • OpenID Connect
    • OAuth 2.0
    • SAML

8) Authorization Services

  • Manage permissions for all your services from Keycloak Admin Console
  • Gives you the power to define exactly  the policies you need

9) Themes Customization

  • Cutomize all pages
  • Pages is using .ftl formats
    • HTML
    • CSS
    • JS
  • Limitless customization
  • Organization Branding

11) Clustering

  • Run Keycloak in the cluster for Scalability and HA

10) Password Policies

  • Lots of policies supported for a password. ex:
    • Digits
    • Special Character
    • Expire Password
    • Not username
    • Minimum Length
    • etc..

How Keycloak SSO Works?

Web SSO with OIDC: Unauthenticated User

Web SSO with OIDC: Authenticated User

Keycloak Tokens

  • Access-Token short-lived (Minutes+): Used for accessing resources
  • Refresh-Token longer-lived (Hours+): Used for requesting new Tokens
  • IDToken: Contains User Information (OIDC)
  • Offline-Token long-lived(Days++)

Calling Backend Services with Access-Token

DEMO

THANK YOU

Keycloak

By Abdullah Fathi

Keycloak

  • 182

More from Abdullah Fathi