![](https://s3.amazonaws.com/media-p.slid.es/uploads/802713/images/9210016/keycloak.png)
Abdullah Fathi
Identity and Access Management Solution
Introduction
- Open Source identity and access management solution
- Started in 2013, broad adoption since 2015
- Vital Community with 470+ Contributors 3.3k+ Forks
- Very robust, good documentation, many examples
- SSO solution designed for Modern Applications, APIs and Services
- Web Based GUI
![](https://s3.amazonaws.com/media-p.slid.es/uploads/802713/images/9210173/Cyber-Security-PNG-Transparent-HD-Photo.png)
Why Keycloak?
- Delegate your security
- No need to store users, passwords
- Deal with login forms and other related forms
- Single Sign On (SSO)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/802713/images/9785224/architecture.png)
OpenID Connect / OAuth 2.0
- JSON
- Simple
- Bearer Token
When?
- Default
- SPA, Mobile
- REST services
SAML v2
- XML
- More Mature
- More Complex
When?
- Monoliths
- Apps with SAML Support
- If you have some fancy requirements
User Storage SPI
![](https://s3.amazonaws.com/media-p.slid.es/uploads/802713/images/9224902/1_yY-WOMONwaS4bmY7yXwztA.png)
FEATURES
1) SSO
- Single Sign On
- Single Sign Out
- Maintain a single session across multiple applications
![](https://s3.amazonaws.com/media-p.slid.es/uploads/802713/images/9210132/screen-login.png)
2) Identity Brokering & Social Login
- Enable login with Social Network
- Authenticate user with existing OpenID Connect or SAML 2.0 Identity Providers
![](https://s3.amazonaws.com/media-p.slid.es/uploads/802713/images/9210133/dia-identity-brokering.png)
3) User Federation
- Built-in support to sync users from existing LDAP or Active Directory servers
- Can also implement your own provider if you have users in other stores such as RDBMS
![](https://s3.amazonaws.com/media-p.slid.es/uploads/802713/images/9210136/dia-user-fed.png)
4) Client Adapters
- Adapters available for a number of platforms and programming languages
- Can also use any OpenID Connect Resource Library or SAML 2.0 Service Provider library
5) Admin Console
- Centrally manage all aspects of the keycloak server
- Enable/Disable various features
- Configure identity brokering and user federation
- Create and manage application services and define fine-grained authorization policies
- Manage users including permissions and sessions
![](https://s3.amazonaws.com/media-p.slid.es/uploads/802713/images/9210143/screen-admin.png)
6) Account Management Console
- User can manage their own accounts:
- Update Profile
- Change password
- Setup 2FA
- Manage session
- View history account
- Link account with additional provider
![](https://s3.amazonaws.com/media-p.slid.es/uploads/802713/images/9210146/screen-account.png)
7) Standard Protocols
- Keycloak is based on standard protocols and provide support for:
- OpenID Connect
- OAuth 2.0
- SAML
![](https://s3.amazonaws.com/media-p.slid.es/uploads/802713/images/9210149/dia-protocols.png)
8) Authorization Services
- Manage permissions for all your services from Keycloak Admin Console
- Gives you the power to define exactly the policies you need
9) Themes Customization
- Cutomize all pages
- Pages is using .ftl formats
- HTML
- CSS
- JS
- Limitless customization
- Organization Branding
11) Clustering
- Run Keycloak in the cluster for Scalability and HA
10) Password Policies
- Lots of policies supported for a password. ex:
- Digits
- Special Character
- Expire Password
- Not username
- Minimum Length
- etc..
How Keycloak SSO Works?
Web SSO with OIDC: Unauthenticated User
![](https://s3.amazonaws.com/media-p.slid.es/uploads/802713/images/9785507/sso-flow1.png)
Web SSO with OIDC: Authenticated User
![](https://s3.amazonaws.com/media-p.slid.es/uploads/802713/images/9785508/sso-flow2.png)
Keycloak Tokens
- Access-Token short-lived (Minutes+): Used for accessing resources
- Refresh-Token longer-lived (Hours+): Used for requesting new Tokens
- IDToken: Contains User Information (OIDC)
- Offline-Token long-lived(Days++)
Calling Backend Services with Access-Token
![](https://s3.amazonaws.com/media-p.slid.es/uploads/802713/images/9785514/sso-flow3.png)
DEMO
THANK YOU
Keycloak
By Abdullah Fathi
Keycloak
- 182