SlideShare a Scribd company logo
1 of 88
Download to read offline
RED HAT CONFIDENTIAL
Red Hat Single Sign-On 7
Overview
Juan Vicente Herrera Ruiz de Alejo - Red Hat Cloud Architect
November 2022
1
RED HAT CONFIDENTIAL
2
What is RH SSO Core Concepts
Architecture
Authentication and registration
Network considerations
AGENDA
Common Audience (application integrators, security operators, sysadmins)
Clients and Adapters OpenID Connect
Administration Console overview
User Federation
Managing clients Roles Events Auditing
Administration ways of RH-SSO
Identity brokering
Common tuning points of RH-SSO
RH-SSO on OpenShift
Two-factor Authentication Labs
RED HAT CONFIDENTIAL
What is Red Hat Single Sign-On?
3
RED HAT CONFIDENTIAL
▸ Based on upstream project Keycloak
▸ Open source access and identity manager
▸ Identity Brokering
▸ User Federation with LDAP based directory services
▸ Client libraries for JavaEE, Spring, NodeJS, JS + more
4
Red Hat Single Sign-On
Architecture and Features
RED HAT CONFIDENTIAL
5
Red Hat Single Sign-On
Architecture and Features
RED HAT CONFIDENTIAL
6
Red Hat JBoss Enterprise Product Delivery Model
The best of both worlds
RED HAT CONFIDENTIAL
7
Jan ‘19
Keycloak: 4.8.3
EAP: 7.2.0
RH-SSO
7.4.0 GA
RH-SSO
7.6.0 GA
RH-SSO
7.5.0 GA
Red Hat Single Sign-On Roadmap
RH-SSO
7.3.0 GA
Apr ‘20
Keycloak: 9.0.3
EAP: 7.3.0
Keycloak: 15.0.2
EAP: 7.4.0
Keycloak: 18.0.0
EAP: 7.4.4
Sept ‘21 30 Jun ‘22
RH-SSO
8.0.0 GA
TBD (Q2CY23)
Keycloak: TBD
EAP: N/A => Moving to Quarkus
RED HAT CONFIDENTIAL
Red Hat Single Sign-On Documentation
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6
RED HAT CONFIDENTIAL
Core Concepts
9
RED HAT CONFIDENTIAL
Red Hat CONFIDENTIAL
SSO Core Concepts
RH-SSO is leveraging standard protocols.
Supported Application Client Protocols:
● SAML
● OpenID
Supported User Federation Protocols:
● SAML
● OpenID
● LDAP
● LDAP/Kerberos
RED HAT CONFIDENTIAL
Red Hat CONFIDENTIAL
SSO Core Concepts
OpenID
● Build on top of Oauth2 (RFC6749)
● defined by OpenID core Spec
● More flexible. Any new development done on OpenID
● Use OpenID whenever possible
● Any new protocol such as CIBA are provide on top of OpenID.
SAML
● defined by SAML Oasis spec.
● Quite old (Spec has 20 years) - still many legacy applications using SAML protocol
LDAP
● Defined by RFC 4519
RED HAT CONFIDENTIAL
12
CONFIDENTIA
12
Core Concepts
SSO Concepts I
▸ Users: Entities that are able to log into your system. They can have attributes associated
with themselves like email, username, address, phone number, and birthday.
▸ Credentials: Pieces of data that Red Hat Single Sign-On uses to verify the identity of a
user. Some examples are passwords, one-time-passwords, digital certificates, or even
fingerprints.
▸ Roles: Identify a type or category of user. Applications often assign access and
permissions to specific roles rather than individual users as dealing with users can be too
fine grained and hard to manage. There are ‘composite roles’
▸ Groups: Users that become members of a group inherit the attributes and role mappings
that group defines. You can map roles to a group as well.
▸ Realm: manages a set of users, credentials, roles and groups. A user belongs to and
logs into a realm. Realms are isolated from one another and can only manage and
authenticate the users that they control.
RED HAT CONFIDENTIAL
13
CONFIDENTIA
13
Core Concepts
SSO Concepts II
▸ Authentication: The process of identifying and validating a user.
▸ Authorization: The process of granting access to a user.
▸ Clients: Entities that can request Red Hat Single Sign-On to authenticate a user. Most
often, clients are applications and services that want to use Red Hat Single Sign-On to
secure themselves and provide a single sign-on solution
▸ Session: When a user logs in, a session is created to manage the login session. A session
contains information like when the user logged in and what applications have
participated within single-sign on during that session. Both admins and users can view
session information.
▸ Identity Manager (IdM) or Identity Access Manager (IAM): Component controlling the
task of controlling information about users and services on computers. Red Hat Single
Sign-On is an IAM
RED HAT CONFIDENTIAL
14
CONFIDENTIA
14
Core Concepts
Identity Brokering - User Federation
▸ Identity Provider Federation: mechanism to delegate authentication (identity brokering) to one or
more IDPs. Social login via Facebook or Google+ is an example of identity provider federation. You
can also hook Red Hat Single Sign-On to delegate authentication to any other OpenID Connect or
SAML 2.0 IDP
▸ User federation provider: RHSSO can store and manage users. You can point Red Hat Single
Sign-On to validate credentials from external stores as LDAP or AD and pull in identity information.
RED HAT CONFIDENTIAL
15
CONFIDENTIA
15
Core Concepts
Keycloak Concepts II
▸ Authentication Flows: workflows a user must perform when interacting with certain
aspects of the system. A login flow can define what credential types are required. A
registration flow defines what profile information a user must enter and whether
something like reCAPTCHA must be used to filter out bots. Credential reset flow defines
what actions a user must do before they can reset their password.
▸ Registration flow: workflow a user must perform when Realm allows user registration
▸ Required actions: actions a user must perform during the authentication process. A user
will not be able to complete the authentication process until these actions are complete.
For example, an admin may schedule users to reset their passwords every month. An
update password required action would be set for all these users.
RED HAT CONFIDENTIAL
Red Hat CONFIDENTIAL
SSO Core Concepts
Tokens
RH-SSO can deliver the following tokens type:
● Access Token
● Refresh Token
● Offline Tokens
● OpenID Tokens
RED HAT CONFIDENTIAL
Red Hat CONFIDENTIAL
SSO Core Concepts
Access Token
● It is THE CRITICAL RESOURCE TO PROTECT.
● Provided in CLEAR TEXT as a signed JWT (RFC 7519) and is NOT ENCRYPTED.
● A valid access token can allow access to the different clients of realm according to
authorization enforced.
● It is made up of the scope claims used in the client access request.
● Scopes filtering query allows to control the inner content of an access token.
Refresh Token / SSO Idle Timeout
● Allows to query for a new access token in the context of a valid user session.
● Refresh Token duration is bound to the SSO Idle Timeout, with a default value of 30 minutes.
● Updating SSO Idle Timeout value can expose your system to high security vulnerabilities.
OffLine Tokens / Offline Sessions
● Available within the context of an offline session.
● Can get an new access token without having user to reauthenticate (in the context of the
offline session).
● Offline Session have can be used for very long period of times (up to several months).
See KCS article: Using Offline Sessions and Offline Tokens with RH-SSO
RED HAT CONFIDENTIAL
Red Hat CONFIDENTIAL
SSO Core Concepts
Public Client / Confidential Client / Bearer Mode client
The application clients types can be of:
● Public
○ Public clients are incapable of maintaining the confidentiality of their credentials.
■ clients executing on the device used by the resource owner, such as an installed
native application or a web browser-based application
● Confidential
○ Clients able to maintain the confidentiality of their credentials
● Bearer mode
○ application is accessed remotely as in Bearer mode (RFC 6750) using an access token.
Confidential Client
● Client Secret
○ A secret key is shared between the RH-SSO server and the client.
○ This secret key shall never be get compromised otherwise it is major security breach.
● Signed JWT (Most secure solution)
○ Requires to setup a keystore at client application level.
○ Only public key is exchanged with RH-SSO server
○ Possibility to rotate keys on a regular basis at client level.
RED HAT CONFIDENTIAL
Red Hat CONFIDENTIAL
SSO Core Concepts
SSL/TLS Security
All inbound and outbound connections should be secured:
● Inbound RH-SSO traffic (HTTPS port 8443)
○ Any application connecting to RH-SSO shall connect through HTTPS.
● Outbound RH-SSO traffic
○ RH-SSO connections to database backend (SSL/TLS).
○ RH-SSO connections to LDAP backend (LDAPS) or any other external provider.
● Usage of RH-SSO keystore (SSL 1 way)
○ Creation of RH-SSO keystore certificate
■ Certificate can be self signed
■ Certificate can signed by a Root CA or certificate Chain (Most Secured
Solution)
● Usage of a RH-SSO trustore
○ Used for mTLS (SSL 2ways) also called X509 Authentication.
○ Used to connect to LDAPS server.
RED HAT CONFIDENTIAL
Red Hat CONFIDENTIAL
SSO Core Concepts
Security Architecture - SSO Reverse Proxy / Load Balancer
The main architectural principles to put in place, when defining Your RH-SSO instance are:
● Put your SSO instance behind a reverse proxy or load balancer.
● Put your RH-SSO server instance(s) on a private LAN.
● The admin console should not be accessible from the external (internet).
○ This segregation is possible with an appropriate network design architecture.
RED HAT CONFIDENTIAL
Red Hat CONFIDENTIAL
SSO Core Concepts
Clustering
Clustering mode is available with standalone HA and domain mode (and comes by default when RH-SSO is deployed on
Openshift).
The recommendation is to use standalone-HA mode instead of domain mode.
● Domain mode adds more complexity to the deployment as it involves more components such as Domain Controller,
Process Controller.
● It also requires more JVM resources.
Clustering is using infinispan as the underlying communication protocol between the different nodes/pods of the cluster.
RH-SSO caches
RH-SSO Infinispan contains 6 distributed caches and are a replicated cache (work) for a RH-SSO instance.
Distributed caches:
● sessions
● authenticationSessions
● offlineSessions
● clientSessions
● offlineClientSessions
● loginFailure
See Doc 3.4.6. Infinispan caches
RED HAT CONFIDENTIAL
Red Hat CONFIDENTIAL
SSO Core Concepts
Infinispan
<distributed-cache name="sessions" owners="2"/>
<distributed-cache name="authenticationSessions" owners="2"/>
<distributed-cache name="offlineSessions" owners="2"/>
<distributed-cache name="clientSessions" owners="2"/>
<distributed-cache name="offlineClientSessions" owners="2"/>
<distributed-cache name="loginFailures" owners="2"/>
If owners=1, it means that the cache is not replicated. In case of a node/pod crash of the node (or pod), all the data is lost.
Therefore, the recommendation is to maintain at least 2 owners copies for each distributed cache.
See KCS: Replication and Failover Cache configuration with RH-SSO clustering
RED HAT CONFIDENTIAL
Red Hat CONFIDENTIAL
SSO Core Concepts
Clustering communication
Clustering communication is done using infinispan protocol using MULTICAST or TCPING (VM) or DNS_PING (Openshift)
Multicast:
● Udp based.
● Multicast is the protocol available out of the box by default.
● available immediately.
● less secure (can easily add a spyer station to monitor all the on going traffic).
Tcping:
● Based on TCP.
● More complex to configure.
● More secured (impossible to add spyer station).
The way to configure tcping is described Jboss EAP documentation: 24.2.3. Configure TCPPING
Important Remark:
● Tcping can be the appropriate solution for customers requiring a very high level of security
RED HAT CONFIDENTIAL
Red Hat CONFIDENTIAL
SSO Core Concepts
User Federation and Identity Federation
● RH-SSO can connect to:
○ User Federation Provider
■ A LDAP provider
○ External Identity Provider
■ Using SAML
■ Using OpenID
LDAP provider:
● Using a LDAP server is a “MUST HAVE” to store user identities in the IAM world.
○ It allows very powerful user provisioning on a very large scale basis.
○ LDAP has been designed to import/export millions of users in a few minutes minutes using LDIF files
○ It is much more efficient using LDIF import than REST API scripts to provision millions of users
● The recommended architectural choice is to use:
○ LDAP Red Hat Directory Server whenever possible
Or
any Other LDAP Directory (AD, Tivoli, OpenDJ …)
Important Remark:
● Red Hat Directory Server is only available on Linux.
RED HAT CONFIDENTIAL
Red Hat CONFIDENTIAL
SSO Core Concepts
RH-SSO Database backend
The database can be of any type (Oracle, MysQL, PostgresQL, MicroSoft SQL Server, Maria DB …).
● The list of RH-SSO supported DB is available at KCS: Red Hat Single Sign-On Supported Configurations
It is used to store:
● RH-SSO configurations (realms, clients, scope …).
● RH-SSO user Identities.
● It should be seen as blackbox. it can only be accessed using Keycloak public APIs:
○ Keycloak Java API
○ Keycloak REST API
○ See also KeyCloak DER which provides a html graphical representation of RH-SSO database.
LDAP User federation and Database
● it is recommended to store User Identities within an LDAP store, and not directly in the keycloak database
● Large scale operation user provisioning (millions of users) should be done directly using LDAP provisioning
primitives which are very powerful (using ldif format), and not using REST API.
Export/Backup
● You should do regular database backup/restore using ldif LDAP format.
Import Remark:
● Json database export format is not suitable for large database.
RED HAT CONFIDENTIAL
Red Hat CONFIDENTIAL
SSO Core Concepts
Events
● RH-SSO event table is part of RH-SSO database.
● Can grow very quickly
● Can lead to severe SSO performance degradations, and CPU freeze.
● Need to keep event table growth under control
How to avoid SSO event table explosion:
● Add a regular purge event delay to the events of the database table.
OR
● Add a custom event listener SPI, so you can integrate with external system database (such as splunk, kafka).
See KCS article:
● How to control event growth on RH-SSO
RED HAT CONFIDENTIAL
Operating modes
27
RED HAT CONFIDENTIAL
28
Operating mode
Before deploying Red Hat Single Sign-On in a production environment you need to decide
which type of operating mode you are going to use.
● Will you run Red Hat Single Sign-On within a cluster?
● Do you want a centralized way to manage your server configurations?
Your choice of operating mode affects how you configure databases, configure caching and
even how you boot the server.
RED HAT CONFIDENTIAL
29
Operating mode
- Standalone mode: when you want to run one, and only one Red Hat Single Sign-On server instance.
Script: $RHSSO_HOME/bin/standalone.sh
Config: $RHSSO_HOME/standalone/configuration/standalone.xml
- Standalone clustered mode: The distribution has a mostly pre-configured app server configuration file
for running within a cluster. It has all the specific infrastructure settings for networking, databases,
caches, and discovery. You must to configure each node separatly.
Script: $RHSSO_HOME/bin/standalone.sh
Config: $RHSSO_HOME/standalone/configuration/standalone-ha.xml
$ .../bin/standalone.sh --server-config=standalone-ha.xml
RED HAT CONFIDENTIAL
30
Operating mode
- Domain clustered mode: Running a cluster in standard mode can quickly become aggravating as
the cluster grows in size. Every time you need to make a configuration change, you perform it on
each node in the cluster. Domain mode solves this problem by providing a central place to store
and publish configurations. It can be quite complex to set up, but it is worth it in the end. This
capability is built into the JBoss EAP Application Server which Red Hat Single Sign-On derives
from.
Script: $RHSSO_HOME/bin/domain.sh
Config: $RHSSO_HOME/domain/configuration/domain.xml
More info on about Operating modes:
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/server
_installation_and_configuration_guide/index#operating-mode
RED HAT CONFIDENTIAL
IdM Administration
Admin Console overview
31
RED HAT CONFIDENTIAL
▸ You will need to create an initial admin account.
▸ RH-SSO does not have any configured admin account out of the box.
▸ This account will allow you to create an admin that can log into the master realm’s
administration console so that you can start creating realms, users and registering
applications to be secured by RH-SSO.
Server Initialization
32
$ SSO_HOME/bin/add-user-keycloak.sh -r master -u <username> -p <password>
RED HAT CONFIDENTIAL
33
Configure Realms
▸ Create Realms
▸ Modify and configure entities of realms: users, roles and groups, providers (both
identities and users) and configure auditing
▸ We recommend that you do not use the ‘master’ realm to manage the users and
applications in your organization.
RED HAT CONFIDENTIAL
Configure Login and Registration Pages Features
Configure others User Providers (LDAP, Kerberos or customized ones)
for User Federation
34
Configure Realms
RED HAT CONFIDENTIAL
35
Configure Identity Providers
Add and configure others Identity Providers (OpenID Connect, SAML or Social Login) for
Identity Brokering.
Two different forms:
▸ SAML
▸ OpenID Connect (include Social Login)
RED HAT CONFIDENTIAL
▸ RH-SSO caches as much data as it can from RDBMS using Infinispan. Those 3 caches can
be cleared.
36
Configure IdM caches
RED HAT CONFIDENTIAL
37
Configure themes settings
▸ One theme per realm
▸ It is recommended create new ones
instead of modifying provided ones
▸ I18n is configurable
▸ Custom realm roles can be used in
themes
RED HAT CONFIDENTIAL
38
Configure Clients and Client Templates
▸ Create and configure Client access for applications
▸ Define templates of clients
RED HAT CONFIDENTIAL
▸ RH-SSO has two types of caches.
▸ One type of cache sits in front of the database to decrease load on the DB and to decrease overall
response times by keeping data in memory. Realm, client, role, and user metadata is kept in this type of
cache.
▸ This cache is a local cache. Local caches do not use replication even if you are in the cluster with more
RH-SSO servers. Instead, they only keep copies locally and if the entry is updated an invalidation
message is sent to the rest of the cluster and the entry is evicted.
▸ There is separate replicated cache work, which task is to send the invalidation messages to the whole
cluster about what entries should be evicted from local caches.
▸ This greatly reduces network traffic, makes things efficient, and avoids transmitting sensitive metadata
over the wire.
▸ The second type of cache handles managing user sessions, offline tokens, and keeping track of login
failures so that the server can detect password phishing and other attacks. The data held in these
caches is temporary, in memory only, but is possibly replicated across the cluster.
39
Server Caches
RED HAT CONFIDENTIAL
Architecture
40
RED HAT CONFIDENTIAL
41
Deployment Diagram
https://access.redhat.com/articles/2342881
RED HAT CONFIDENTIAL
Deployment Options
42
RED HAT CONFIDENTIAL
Service Provider
Interfaces (SPI)
43
RED HAT CONFIDENTIAL
44
Service Provider Interfaces
Red Hat Single Sign-On is designed to cover most use-cases without requiring custom code, but
we also want it to be customizable. To achieve this Red Hat Single Sign-On has a number of
Service Provider Interfaces (SPI) for which you can implement your own providers.
1. Implementing a SPI: you need to implement its ProviderFactory and Provider interfaces.
Packaging: .jar, .ear or .war
2. Configuration: You can configure your provider through standalone.xml, standalone-ha.xml,
or domain.xml
Implementing a SPI: references
RED HAT CONFIDENTIAL
45
Service Provider Interfaces
a. Red Hat Single Sign-On Deployer:
i. If you copy your provider jar file to the Red Hat Single Sign-On
standalone/deployments/ directory, your provider will automatically be
deployed.
ii. Hot deployment works too.
iii. jboss-deployment-structure.xml file. This file allows you to set up dependencies
on other components and load third-party jars and modules.
b. Using Modules: using jboss-cli tool.
$ RHSSO_HOME/bin/jboss-cli.sh --command="module add --name=org.acme.provider
--resources=target/provider.jar
--dependencies=org.keycloak.keycloak-core,org.keycloak.keycloak-server-spi"
3. Registering provider: two ways
RED HAT CONFIDENTIAL
46
Service Provider Interfaces
4. Disabling provider:
5. Available SPIs: ‘Server Info’
RED HAT CONFIDENTIAL
User Federation
47
RED HAT CONFIDENTIAL
48
User storage federation
▸ RH-SSO can federate multiple external
databases containing users. Most common:
LDAP and Active Directory.
▸ But RH-SSO maintains its own identity
relational database.
▸ RH-SSO provides an API for creating custom
plugins for User federation, the User
Storage SPI.
You can use the User Storage SPI to write
extensions to RH-SSO to connect to
external user databases and credential
stores.
RED HAT CONFIDENTIAL
49
Sequence for users lookup
1. RH-SSO needs to look up an user.
2. Search in ‘users’ cache. If not found,
3. Search in local database. If not found,
4. Loops through User Storage SPI provider implementations to perform the user query
until one of them returns the user.
RH-SSO always imports users from external providers to its own local storage
RED HAT CONFIDENTIAL
50
User federation from LDAP I
▸ LDAP and AD are most common use cases of User Storage Federation in RH-SSO
▸ You can federate more than one LDAP user providers in same Realm
▸ You can map LDAP user attributes into the RH-SSO common user model (mappings). By
default, it maps:
a. username
b. email
c. first name
d. last name
RED HAT CONFIDENTIAL
IdM Administration
Identity Brokering
51
RED HAT CONFIDENTIAL
Identity Brokering
52
▸ An identity Broker can be configured to delegate
authentication to one or more IDPs. Social login via
Facebook or Google+ is an example of identity provider
federation.
▸ An Identity Broker is an intermediary service that
connects multiple service providers with different
identity providers
▸ An identity provider is usually based on a specific
protocol that is used to authenticate and communicate
authentication and authorization information to their
users.
RED HAT CONFIDENTIAL
53
Identity Brokering
RED HAT CONFIDENTIAL
54
Supported Identity Providers
▸ Can be resumed in SAML, OpenID Connect or Social Login (through OIDC or OAuth2)
RED HAT CONFIDENTIAL
Managing Clients
55
RED HAT CONFIDENTIAL
SAML and OIDC
56
Recommendation: OIDC
▸ Easy to consume identity tokens: JSON Web Token (JWT)
▸ Based on the OAuth 2.0 pseudo protocol: way for Internet users to grant websites or applications access to their information on other
websites but without giving them the password
▸ Simpler than other open alternatives: SAML, or closed implementations
▸ Ready both for public or enterprise environments
RED HAT CONFIDENTIAL
57
Managing OIDC clients
RED HAT CONFIDENTIAL
58
Managing OIDC clients
Access Types
▸ confidential:
server-side clients that need to perform a browser login and require a client secret when
they turn an access code into an access token (see Access Token Request in the OAuth
2.0 spec for more details). This type should be used for server-side applications.
▸ public:
For client-side clients that need to perform a browser login. With a client-side application
there is no way to keep a secret safe. Instead it is very important to restrict access by
configuring correct redirect URIs for the client.
▸ bearer-only:
Bearer-only access type means that the application only allows bearer token requests. If
this is turned on, this application cannot participate in browser logins. 'Bearer-only' clients
are web services that never initiate a login.
RED HAT CONFIDENTIAL
Roles
59
RED HAT CONFIDENTIAL
60
Realm Level Roles
▸ Roles identify a type or category of user. Admin, user, manager and employee are all
typical roles that may exist in an organization. Applications often assign access and
permissions to specific roles
▸ Realm roles are a global namespace to define roles
RED HAT CONFIDENTIAL
61
Client Level Roles
▸ One for each client
RED HAT CONFIDENTIAL
▸ Any realm or client level role can be turned into a composite role. A composite role is a
role that has one or more additional roles associated with it
▸ Users with a granted composited role get permissions from all involved roles
62
Composite Roles
RED HAT CONFIDENTIAL
63
Composite Roles vs Groups
▸ Use groups to manage users.
▸ Use composite roles to manage applications and services.
Default Roles
▸ Are roles automatically assigned to new users when first time login
RED HAT CONFIDENTIAL
Events auditing
64
RED HAT CONFIDENTIAL
▸ Login Events - Login events occur for things like when a user logs in successfully, when
somebody enters in a bad password, or when a user account is updated.
▸ Admin Events - Any action an admin performs within the admin console can be recorded
for auditing purposes.
▸ Listener SPI - There is also a Listener SPI with which plugins can listen for these events
and perform some action. Built-in listeners include a simple log file and the ability to
send an email if an event occurs.
▸ By default, no events are stored or viewed in the Admin Console. Only error events
are logged to the console and the server’s log file.
▸ Events are saved to Database. They have to expire !! . The Expiration field allows you
to specify how long you want to keep events stored.
65
Auditing Capabilities
RED HAT CONFIDENTIAL
66
Login Events
▸ Login Events
▸ Account Events
RED HAT CONFIDENTIAL
Administration ways
67
RED HAT CONFIDENTIAL
Admin Console Web
● The bulk of your administrative tasks will be done through the Red Hat Single Sign-On
Admin Console. You can go to the console url directly at http://server:port/auth/admin/
● Enter the username and password you created on the Welcome Page or the
add-user-keycloak script in the bin directory. This will bring you to the RH-SSO Admin
Console.
68
RED HAT CONFIDENTIAL
kcadm
● The Admin CLI is packaged inside RH-SSO Server distribution. You can find execution
scripts inside the bin directory. $KEYCLOAK_HOME/bin/kcadm.sh .
● Full administration from command line.
● Makes HTTP request to Admin REST endpoints
● Reference
$ kcadm.sh create clients -r demorealm -s clientId=myapp -s enabled=true
$ kcadm.sh get clients -r demorealm --fields id,clientId
$ kcadm.sh create realms -f demorealm.json
$ kcadm.sh config credentials --server http://localhost:8080/auth --realm demo
--user admin --client admin
Command Line Interface Tool
69
RED HAT CONFIDENTIAL
70
Admin REST API
● To invoke the API you need to obtain an access token with the appropriate permissions.
● Obtain access token for user in the realm master with username admin and password password:
● By default this token expires in 1 minute
● The result will be a JSON document. To invoke the API you need to extract the value of the
access_token property. You can then invoke the API by including the value in the Authorization
header of requests to the API.
curl 
-d "client_id=admin-cli" 
-d "username=admin" 
-d "password=password" 
-d "grant_type=password" 
"http://localhost:8080/auth/realms/master/protocol/openid-connect/token"
curl 
-H "Authorization: bearer eyJhbGciOiJSUz..." 
"http://localhost:8080/auth/admin/realms/master"
RED HAT CONFIDENTIAL
RH-SSO on OpenShift
71
RED HAT CONFIDENTIAL
72
- Operator:
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/server_i
nstallation_and_configuration_guide/operator
- Templates + Image Streams
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/re
d_hat_single_sign-on_for_openshift/index#image-streams-applications-templates
Deployment options
RED HAT CONFIDENTIAL
73
Operators
RED HAT CONFIDENTIAL
74
OpenShift Templates + Image Streams
1. Using CLI
● To deploy new applications, it is recommended to use the latest version of the RH-SSO for OpenShift image along
with the application templates specific to these image versions.
● Templates:
● Image Stream:
Source:
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/red_hat_single_sign-on_for_openshift/index#ima
ge-streams-applications-templates
$ oc -n openshift import-image rh-sso-7/sso76-openshift-rhel8:7.6
--from=registry.redhat.io/rh-sso-7/sso76-openshift-rhel8:7.6 --confirm
RED HAT CONFIDENTIAL
75
OpenShift Templates + Image Streams
Deployment:
oc new-app --template=sso76-x509-https
$ oc new-app --template=sso76-x509-https
--> Deploying template "openshift/sso76-x509-https" to project sso-app-demo
Red Hat Single Sign-On 7.6 (Ephemeral)
---------
An example Red Hat Single Sign-On 7 application. For more information about using this template, see <link
xlink:href="https://github.com/jboss-openshift/application-templates">https://github.com/jboss-openshift/application-templates</link>.
A new Red Hat Single Sign-On service has been created in your project. The admin username/password for accessing the master realm using the Red
Hat Single Sign-On console is IACfQO8v/nR7llVSVb4Dye3TNRbXoXhRpAKTmiCRc. The HTTPS keystore used for serving secure content, the JGroups keystore used
for securing JGroups communications, and server truststore used for securing Red Hat Single Sign-On requests were automatically created using
OpenShift's service serving x509 certificate secrets.
* With parameters:
* Application Name=sso
...
--> Creating resources ...
service "sso" created
service "secure-sso" created
service "sso-ping" created
route "sso" created
route "secure-sso" created
deploymentconfig "sso" created
--> Success
Run 'oc status' to view your app.
RED HAT CONFIDENTIAL
76
OpenShift Templates + Image Streams
Deployment
RED HAT CONFIDENTIAL
77
OpenShift Templates + Image Streams
Admin Console
Acces to RH-SSO Admin Console:
https://sso-rh-sso.apps.cluster-5mn2f.5mn2f.sandbox364.opentlc.com/auth/
$ oc get routes
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
sso sso-rh-sso.apps.cluster-5mn2f.5mn2f.sandbox364.opentlc.com sso <all> reencrypt None
Provide the login
credentials for the
administrator
account.
RED HAT CONFIDENTIAL
78
OpenShift Templates + Image Streams
2. Using Web Console:
Source:
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/red_hat_single_sign-on_for_openshift/index#depl
oy4x
On the left sidebar, click the Administrator tab and then click </> Developer, then ‘From Catalog’
RED HAT CONFIDENTIAL
79
OpenShift Templates + Image Streams
2. Using Web Console:
Search SSO, chose a template and click Instantiate Template
RED HAT CONFIDENTIAL
80
RH-SSO on OpenShift
Stop & Start pod
● When RHSSO is running an simple way to stop it is scaling down to 0 instances (replicas)
○ oc scale (scale to 0)
● To start again, set replicas=1 (or more)
● Restart:
○ oc delete (will delete current RHSSO pod and create a new instance)
$ oc delete pod <pod_name>
Example:
$ oc delete pod rh-sso-2-q8dw9
$ oc scale dc/<deploymentconfig_name> --replicas=0
Example:
$ oc scale dc/rh-sso --replicas=0
RED HAT CONFIDENTIAL
81
RH-SSO on OpenShift
Stop & Start pod
● Stopping from OpenShift Web Console. Select:
Developer → Click on RHSSO app → Select the DC
○ In the Details tab, click the down-arrow next to the pod circle to scale it to 0. This effectively removes all
running pods.
RED HAT CONFIDENTIAL
82
$ oc get pods | grep Running
HA: Cluster
RH-SSO on OpenShift
$ oc scale dc/sso --replicas=2
RED HAT CONFIDENTIAL
83
$ oc scale dc/sso --replicas=1
Scaling down
Node leaves the cluster
$ oc get pods | grep Running
RH-SSO on OpenShift
RED HAT CONFIDENTIAL
Settings
- Configuration file: /opt/eap/standalone/configuration/standalone-openshift.xml
84
RH-SSO on OpenShift
RED HAT CONFIDENTIAL
Tool: jboss-cli => $HOME_JBOSS/bin/jboss-cli -c
:read-resource (show full settings)
/subsystem=logging/root-logger=ROOT: read-attribute(name=level)
Update:
/subsystem=logging/root-logger=ROOT:write-attribute(name=level, value="DEBUG")
85
RH-SSO on OpenShift
RED HAT CONFIDENTIAL
- Environment variables:
oc rsh $pod_name
86
Configuration
RED HAT CONFIDENTIAL
Questions ?
87
RED HAT CONFIDENTIAL
Thank you!
plus.google.com/+RedHat
linkedin.com/company/red-hat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHat
88
LinkedIn: https://www.linkedin.com/in/jvherrera/
Twitter: https://twitter.com/jvicenteherrera
Email: juanvi@redhat.com

More Related Content

What's hot

SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectUbisecure
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
なぜOpenID Connectが必要となったのか、その歴史的背景
なぜOpenID Connectが必要となったのか、その歴史的背景なぜOpenID Connectが必要となったのか、その歴史的背景
なぜOpenID Connectが必要となったのか、その歴史的背景Tatsuo Kudo
 
Role based access control - RBAC - Kubernetes
Role based access control - RBAC - KubernetesRole based access control - RBAC - Kubernetes
Role based access control - RBAC - KubernetesMilan Das
 
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014Nov Matake
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakRed Hat Developers
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container SecuritySuraj Khetani
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_inside
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_insideAuthlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_inside
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_insideTatsuo Kudo
 

What's hot (20)

OAuth 2
OAuth 2OAuth 2
OAuth 2
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibility
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
なぜOpenID Connectが必要となったのか、その歴史的背景
なぜOpenID Connectが必要となったのか、その歴史的背景なぜOpenID Connectが必要となったのか、その歴史的背景
なぜOpenID Connectが必要となったのか、その歴史的背景
 
Role based access control - RBAC - Kubernetes
Role based access control - RBAC - KubernetesRole based access control - RBAC - Kubernetes
Role based access control - RBAC - Kubernetes
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
 
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_inside
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_insideAuthlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_inside
Authlete: セキュアな金融 API 基盤の実現と Google Cloud の活用 #gc_inside
 

Similar to Keycloak SSO basics

Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStackSteve Martinelli
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementManish Harsh
 
OpenAM - An Introduction
OpenAM - An IntroductionOpenAM - An Introduction
OpenAM - An IntroductionForgeRock
 
Implementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringImplementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringVMware Tanzu
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedCalvin Noronha
 
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...Profesia Srl, Lynx Group
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
Five Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern IdentityFive Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern IdentityMark Diodati
 
hyperledger-chaincode & hyperl fabric.pptx
hyperledger-chaincode & hyperl fabric.pptxhyperledger-chaincode & hyperl fabric.pptx
hyperledger-chaincode & hyperl fabric.pptxdeepaksingh160910
 
ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016  ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016 ForgeRock
 
Securing FIWARE Architectures
Securing FIWARE ArchitecturesSecuring FIWARE Architectures
Securing FIWARE ArchitecturesFIWARE
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018MOnCloud
 
Troubles with Large Identity Providers.pptx
Troubles with Large Identity Providers.pptxTroubles with Large Identity Providers.pptx
Troubles with Large Identity Providers.pptxYury Leonychev
 
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They KeyOAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They KeyMike Schwartz
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleMayank Sharma
 
Security best practices for hyperledger fabric
Security best practices for hyperledger fabric Security best practices for hyperledger fabric
Security best practices for hyperledger fabric ManishKumarGiri2
 
Identity Security - Azure Active Directory
Identity Security - Azure Active DirectoryIdentity Security - Azure Active Directory
Identity Security - Azure Active DirectoryEng Teong Cheah
 

Similar to Keycloak SSO basics (20)

Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStack
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy Management
 
OpenAM - An Introduction
OpenAM - An IntroductionOpenAM - An Introduction
OpenAM - An Introduction
 
Implementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringImplementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with Spring
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - Demystified
 
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
 SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
 
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
Five Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern IdentityFive Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern Identity
 
hyperledger-chaincode & hyperl fabric.pptx
hyperledger-chaincode & hyperl fabric.pptxhyperledger-chaincode & hyperl fabric.pptx
hyperledger-chaincode & hyperl fabric.pptx
 
ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016  ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016
 
SDP Glossary v2.0
SDP Glossary v2.0 SDP Glossary v2.0
SDP Glossary v2.0
 
Securing FIWARE Architectures
Securing FIWARE ArchitecturesSecuring FIWARE Architectures
Securing FIWARE Architectures
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
 
Troubles with Large Identity Providers.pptx
Troubles with Large Identity Providers.pptxTroubles with Large Identity Providers.pptx
Troubles with Large Identity Providers.pptx
 
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They KeyOAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 Module
 
Security best practices for hyperledger fabric
Security best practices for hyperledger fabric Security best practices for hyperledger fabric
Security best practices for hyperledger fabric
 
Identity Security - Azure Active Directory
Identity Security - Azure Active DirectoryIdentity Security - Azure Active Directory
Identity Security - Azure Active Directory
 

More from Juan Vicente Herrera Ruiz de Alejo

AWS migration: getting to Data Center heaven with AWS and Chef
AWS migration: getting to Data Center heaven with AWS and ChefAWS migration: getting to Data Center heaven with AWS and Chef
AWS migration: getting to Data Center heaven with AWS and ChefJuan Vicente Herrera Ruiz de Alejo
 

More from Juan Vicente Herrera Ruiz de Alejo (20)

OpenShift Multicluster
OpenShift MulticlusterOpenShift Multicluster
OpenShift Multicluster
 
Deploying Minecraft with Ansible
Deploying Minecraft with AnsibleDeploying Minecraft with Ansible
Deploying Minecraft with Ansible
 
Tell me how you provision and I'll tell you how you are
Tell me how you provision and I'll tell you how you areTell me how you provision and I'll tell you how you are
Tell me how you provision and I'll tell you how you are
 
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdfSantander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
 
X by orange; una telco en la nube
X by orange;   una telco en la nubeX by orange;   una telco en la nube
X by orange; una telco en la nube
 
Dorsal carrera de la mujer ROSAE 2017
Dorsal carrera de la mujer ROSAE 2017 Dorsal carrera de la mujer ROSAE 2017
Dorsal carrera de la mujer ROSAE 2017
 
Cartel carrera de la mujer ROSAE 2017
Cartel carrera de la mujer  ROSAE 2017Cartel carrera de la mujer  ROSAE 2017
Cartel carrera de la mujer ROSAE 2017
 
Volkswagen Prague Marathon 2017
Volkswagen Prague Marathon 2017Volkswagen Prague Marathon 2017
Volkswagen Prague Marathon 2017
 
Plan de entrenamiento Maratón de Madrid Mes 3
Plan de entrenamiento Maratón de Madrid Mes 3Plan de entrenamiento Maratón de Madrid Mes 3
Plan de entrenamiento Maratón de Madrid Mes 3
 
Plan de entrenamiento Maratón de Madrid Mes 2
Plan de entrenamiento Maratón de Madrid Mes 2Plan de entrenamiento Maratón de Madrid Mes 2
Plan de entrenamiento Maratón de Madrid Mes 2
 
Plan de entrenamiento Maratón de Madrid Mes 1
Plan de entrenamiento Maratón de Madrid Mes 1Plan de entrenamiento Maratón de Madrid Mes 1
Plan de entrenamiento Maratón de Madrid Mes 1
 
Cartel carrera de la mujer ROSAE 2014
Cartel carrera de la mujer ROSAE 2014Cartel carrera de la mujer ROSAE 2014
Cartel carrera de la mujer ROSAE 2014
 
AWS migration: getting to Data Center heaven with AWS and Chef
AWS migration: getting to Data Center heaven with AWS and ChefAWS migration: getting to Data Center heaven with AWS and Chef
AWS migration: getting to Data Center heaven with AWS and Chef
 
Devops madrid: successful case in AWS
Devops madrid: successful case in AWSDevops madrid: successful case in AWS
Devops madrid: successful case in AWS
 
Devops Madrid Marzo - Caso de uso en AWS
Devops Madrid Marzo - Caso de uso en AWSDevops Madrid Marzo - Caso de uso en AWS
Devops Madrid Marzo - Caso de uso en AWS
 
Configuration management with Chef
Configuration management with ChefConfiguration management with Chef
Configuration management with Chef
 
DevOps and Chef improve your life
DevOps and Chef improve your life DevOps and Chef improve your life
DevOps and Chef improve your life
 
MongoDB Devops Madrid February 2012
MongoDB Devops Madrid February 2012MongoDB Devops Madrid February 2012
MongoDB Devops Madrid February 2012
 
Amazon EC2: What is this and what can I do with it?
Amazon EC2: What is this and what can I do with it?Amazon EC2: What is this and what can I do with it?
Amazon EC2: What is this and what can I do with it?
 
MongoDB - Madrid Devops Febrero
MongoDB - Madrid Devops FebreroMongoDB - Madrid Devops Febrero
MongoDB - Madrid Devops Febrero
 

Recently uploaded

Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 

Keycloak SSO basics

  • 1. RED HAT CONFIDENTIAL Red Hat Single Sign-On 7 Overview Juan Vicente Herrera Ruiz de Alejo - Red Hat Cloud Architect November 2022 1
  • 2. RED HAT CONFIDENTIAL 2 What is RH SSO Core Concepts Architecture Authentication and registration Network considerations AGENDA Common Audience (application integrators, security operators, sysadmins) Clients and Adapters OpenID Connect Administration Console overview User Federation Managing clients Roles Events Auditing Administration ways of RH-SSO Identity brokering Common tuning points of RH-SSO RH-SSO on OpenShift Two-factor Authentication Labs
  • 3. RED HAT CONFIDENTIAL What is Red Hat Single Sign-On? 3
  • 4. RED HAT CONFIDENTIAL ▸ Based on upstream project Keycloak ▸ Open source access and identity manager ▸ Identity Brokering ▸ User Federation with LDAP based directory services ▸ Client libraries for JavaEE, Spring, NodeJS, JS + more 4 Red Hat Single Sign-On Architecture and Features
  • 5. RED HAT CONFIDENTIAL 5 Red Hat Single Sign-On Architecture and Features
  • 6. RED HAT CONFIDENTIAL 6 Red Hat JBoss Enterprise Product Delivery Model The best of both worlds
  • 7. RED HAT CONFIDENTIAL 7 Jan ‘19 Keycloak: 4.8.3 EAP: 7.2.0 RH-SSO 7.4.0 GA RH-SSO 7.6.0 GA RH-SSO 7.5.0 GA Red Hat Single Sign-On Roadmap RH-SSO 7.3.0 GA Apr ‘20 Keycloak: 9.0.3 EAP: 7.3.0 Keycloak: 15.0.2 EAP: 7.4.0 Keycloak: 18.0.0 EAP: 7.4.4 Sept ‘21 30 Jun ‘22 RH-SSO 8.0.0 GA TBD (Q2CY23) Keycloak: TBD EAP: N/A => Moving to Quarkus
  • 8. RED HAT CONFIDENTIAL Red Hat Single Sign-On Documentation https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6
  • 10. RED HAT CONFIDENTIAL Red Hat CONFIDENTIAL SSO Core Concepts RH-SSO is leveraging standard protocols. Supported Application Client Protocols: ● SAML ● OpenID Supported User Federation Protocols: ● SAML ● OpenID ● LDAP ● LDAP/Kerberos
  • 11. RED HAT CONFIDENTIAL Red Hat CONFIDENTIAL SSO Core Concepts OpenID ● Build on top of Oauth2 (RFC6749) ● defined by OpenID core Spec ● More flexible. Any new development done on OpenID ● Use OpenID whenever possible ● Any new protocol such as CIBA are provide on top of OpenID. SAML ● defined by SAML Oasis spec. ● Quite old (Spec has 20 years) - still many legacy applications using SAML protocol LDAP ● Defined by RFC 4519
  • 12. RED HAT CONFIDENTIAL 12 CONFIDENTIA 12 Core Concepts SSO Concepts I ▸ Users: Entities that are able to log into your system. They can have attributes associated with themselves like email, username, address, phone number, and birthday. ▸ Credentials: Pieces of data that Red Hat Single Sign-On uses to verify the identity of a user. Some examples are passwords, one-time-passwords, digital certificates, or even fingerprints. ▸ Roles: Identify a type or category of user. Applications often assign access and permissions to specific roles rather than individual users as dealing with users can be too fine grained and hard to manage. There are ‘composite roles’ ▸ Groups: Users that become members of a group inherit the attributes and role mappings that group defines. You can map roles to a group as well. ▸ Realm: manages a set of users, credentials, roles and groups. A user belongs to and logs into a realm. Realms are isolated from one another and can only manage and authenticate the users that they control.
  • 13. RED HAT CONFIDENTIAL 13 CONFIDENTIA 13 Core Concepts SSO Concepts II ▸ Authentication: The process of identifying and validating a user. ▸ Authorization: The process of granting access to a user. ▸ Clients: Entities that can request Red Hat Single Sign-On to authenticate a user. Most often, clients are applications and services that want to use Red Hat Single Sign-On to secure themselves and provide a single sign-on solution ▸ Session: When a user logs in, a session is created to manage the login session. A session contains information like when the user logged in and what applications have participated within single-sign on during that session. Both admins and users can view session information. ▸ Identity Manager (IdM) or Identity Access Manager (IAM): Component controlling the task of controlling information about users and services on computers. Red Hat Single Sign-On is an IAM
  • 14. RED HAT CONFIDENTIAL 14 CONFIDENTIA 14 Core Concepts Identity Brokering - User Federation ▸ Identity Provider Federation: mechanism to delegate authentication (identity brokering) to one or more IDPs. Social login via Facebook or Google+ is an example of identity provider federation. You can also hook Red Hat Single Sign-On to delegate authentication to any other OpenID Connect or SAML 2.0 IDP ▸ User federation provider: RHSSO can store and manage users. You can point Red Hat Single Sign-On to validate credentials from external stores as LDAP or AD and pull in identity information.
  • 15. RED HAT CONFIDENTIAL 15 CONFIDENTIA 15 Core Concepts Keycloak Concepts II ▸ Authentication Flows: workflows a user must perform when interacting with certain aspects of the system. A login flow can define what credential types are required. A registration flow defines what profile information a user must enter and whether something like reCAPTCHA must be used to filter out bots. Credential reset flow defines what actions a user must do before they can reset their password. ▸ Registration flow: workflow a user must perform when Realm allows user registration ▸ Required actions: actions a user must perform during the authentication process. A user will not be able to complete the authentication process until these actions are complete. For example, an admin may schedule users to reset their passwords every month. An update password required action would be set for all these users.
  • 16. RED HAT CONFIDENTIAL Red Hat CONFIDENTIAL SSO Core Concepts Tokens RH-SSO can deliver the following tokens type: ● Access Token ● Refresh Token ● Offline Tokens ● OpenID Tokens
  • 17. RED HAT CONFIDENTIAL Red Hat CONFIDENTIAL SSO Core Concepts Access Token ● It is THE CRITICAL RESOURCE TO PROTECT. ● Provided in CLEAR TEXT as a signed JWT (RFC 7519) and is NOT ENCRYPTED. ● A valid access token can allow access to the different clients of realm according to authorization enforced. ● It is made up of the scope claims used in the client access request. ● Scopes filtering query allows to control the inner content of an access token. Refresh Token / SSO Idle Timeout ● Allows to query for a new access token in the context of a valid user session. ● Refresh Token duration is bound to the SSO Idle Timeout, with a default value of 30 minutes. ● Updating SSO Idle Timeout value can expose your system to high security vulnerabilities. OffLine Tokens / Offline Sessions ● Available within the context of an offline session. ● Can get an new access token without having user to reauthenticate (in the context of the offline session). ● Offline Session have can be used for very long period of times (up to several months). See KCS article: Using Offline Sessions and Offline Tokens with RH-SSO
  • 18. RED HAT CONFIDENTIAL Red Hat CONFIDENTIAL SSO Core Concepts Public Client / Confidential Client / Bearer Mode client The application clients types can be of: ● Public ○ Public clients are incapable of maintaining the confidentiality of their credentials. ■ clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application ● Confidential ○ Clients able to maintain the confidentiality of their credentials ● Bearer mode ○ application is accessed remotely as in Bearer mode (RFC 6750) using an access token. Confidential Client ● Client Secret ○ A secret key is shared between the RH-SSO server and the client. ○ This secret key shall never be get compromised otherwise it is major security breach. ● Signed JWT (Most secure solution) ○ Requires to setup a keystore at client application level. ○ Only public key is exchanged with RH-SSO server ○ Possibility to rotate keys on a regular basis at client level.
  • 19. RED HAT CONFIDENTIAL Red Hat CONFIDENTIAL SSO Core Concepts SSL/TLS Security All inbound and outbound connections should be secured: ● Inbound RH-SSO traffic (HTTPS port 8443) ○ Any application connecting to RH-SSO shall connect through HTTPS. ● Outbound RH-SSO traffic ○ RH-SSO connections to database backend (SSL/TLS). ○ RH-SSO connections to LDAP backend (LDAPS) or any other external provider. ● Usage of RH-SSO keystore (SSL 1 way) ○ Creation of RH-SSO keystore certificate ■ Certificate can be self signed ■ Certificate can signed by a Root CA or certificate Chain (Most Secured Solution) ● Usage of a RH-SSO trustore ○ Used for mTLS (SSL 2ways) also called X509 Authentication. ○ Used to connect to LDAPS server.
  • 20. RED HAT CONFIDENTIAL Red Hat CONFIDENTIAL SSO Core Concepts Security Architecture - SSO Reverse Proxy / Load Balancer The main architectural principles to put in place, when defining Your RH-SSO instance are: ● Put your SSO instance behind a reverse proxy or load balancer. ● Put your RH-SSO server instance(s) on a private LAN. ● The admin console should not be accessible from the external (internet). ○ This segregation is possible with an appropriate network design architecture.
  • 21. RED HAT CONFIDENTIAL Red Hat CONFIDENTIAL SSO Core Concepts Clustering Clustering mode is available with standalone HA and domain mode (and comes by default when RH-SSO is deployed on Openshift). The recommendation is to use standalone-HA mode instead of domain mode. ● Domain mode adds more complexity to the deployment as it involves more components such as Domain Controller, Process Controller. ● It also requires more JVM resources. Clustering is using infinispan as the underlying communication protocol between the different nodes/pods of the cluster. RH-SSO caches RH-SSO Infinispan contains 6 distributed caches and are a replicated cache (work) for a RH-SSO instance. Distributed caches: ● sessions ● authenticationSessions ● offlineSessions ● clientSessions ● offlineClientSessions ● loginFailure See Doc 3.4.6. Infinispan caches
  • 22. RED HAT CONFIDENTIAL Red Hat CONFIDENTIAL SSO Core Concepts Infinispan <distributed-cache name="sessions" owners="2"/> <distributed-cache name="authenticationSessions" owners="2"/> <distributed-cache name="offlineSessions" owners="2"/> <distributed-cache name="clientSessions" owners="2"/> <distributed-cache name="offlineClientSessions" owners="2"/> <distributed-cache name="loginFailures" owners="2"/> If owners=1, it means that the cache is not replicated. In case of a node/pod crash of the node (or pod), all the data is lost. Therefore, the recommendation is to maintain at least 2 owners copies for each distributed cache. See KCS: Replication and Failover Cache configuration with RH-SSO clustering
  • 23. RED HAT CONFIDENTIAL Red Hat CONFIDENTIAL SSO Core Concepts Clustering communication Clustering communication is done using infinispan protocol using MULTICAST or TCPING (VM) or DNS_PING (Openshift) Multicast: ● Udp based. ● Multicast is the protocol available out of the box by default. ● available immediately. ● less secure (can easily add a spyer station to monitor all the on going traffic). Tcping: ● Based on TCP. ● More complex to configure. ● More secured (impossible to add spyer station). The way to configure tcping is described Jboss EAP documentation: 24.2.3. Configure TCPPING Important Remark: ● Tcping can be the appropriate solution for customers requiring a very high level of security
  • 24. RED HAT CONFIDENTIAL Red Hat CONFIDENTIAL SSO Core Concepts User Federation and Identity Federation ● RH-SSO can connect to: ○ User Federation Provider ■ A LDAP provider ○ External Identity Provider ■ Using SAML ■ Using OpenID LDAP provider: ● Using a LDAP server is a “MUST HAVE” to store user identities in the IAM world. ○ It allows very powerful user provisioning on a very large scale basis. ○ LDAP has been designed to import/export millions of users in a few minutes minutes using LDIF files ○ It is much more efficient using LDIF import than REST API scripts to provision millions of users ● The recommended architectural choice is to use: ○ LDAP Red Hat Directory Server whenever possible Or any Other LDAP Directory (AD, Tivoli, OpenDJ …) Important Remark: ● Red Hat Directory Server is only available on Linux.
  • 25. RED HAT CONFIDENTIAL Red Hat CONFIDENTIAL SSO Core Concepts RH-SSO Database backend The database can be of any type (Oracle, MysQL, PostgresQL, MicroSoft SQL Server, Maria DB …). ● The list of RH-SSO supported DB is available at KCS: Red Hat Single Sign-On Supported Configurations It is used to store: ● RH-SSO configurations (realms, clients, scope …). ● RH-SSO user Identities. ● It should be seen as blackbox. it can only be accessed using Keycloak public APIs: ○ Keycloak Java API ○ Keycloak REST API ○ See also KeyCloak DER which provides a html graphical representation of RH-SSO database. LDAP User federation and Database ● it is recommended to store User Identities within an LDAP store, and not directly in the keycloak database ● Large scale operation user provisioning (millions of users) should be done directly using LDAP provisioning primitives which are very powerful (using ldif format), and not using REST API. Export/Backup ● You should do regular database backup/restore using ldif LDAP format. Import Remark: ● Json database export format is not suitable for large database.
  • 26. RED HAT CONFIDENTIAL Red Hat CONFIDENTIAL SSO Core Concepts Events ● RH-SSO event table is part of RH-SSO database. ● Can grow very quickly ● Can lead to severe SSO performance degradations, and CPU freeze. ● Need to keep event table growth under control How to avoid SSO event table explosion: ● Add a regular purge event delay to the events of the database table. OR ● Add a custom event listener SPI, so you can integrate with external system database (such as splunk, kafka). See KCS article: ● How to control event growth on RH-SSO
  • 28. RED HAT CONFIDENTIAL 28 Operating mode Before deploying Red Hat Single Sign-On in a production environment you need to decide which type of operating mode you are going to use. ● Will you run Red Hat Single Sign-On within a cluster? ● Do you want a centralized way to manage your server configurations? Your choice of operating mode affects how you configure databases, configure caching and even how you boot the server.
  • 29. RED HAT CONFIDENTIAL 29 Operating mode - Standalone mode: when you want to run one, and only one Red Hat Single Sign-On server instance. Script: $RHSSO_HOME/bin/standalone.sh Config: $RHSSO_HOME/standalone/configuration/standalone.xml - Standalone clustered mode: The distribution has a mostly pre-configured app server configuration file for running within a cluster. It has all the specific infrastructure settings for networking, databases, caches, and discovery. You must to configure each node separatly. Script: $RHSSO_HOME/bin/standalone.sh Config: $RHSSO_HOME/standalone/configuration/standalone-ha.xml $ .../bin/standalone.sh --server-config=standalone-ha.xml
  • 30. RED HAT CONFIDENTIAL 30 Operating mode - Domain clustered mode: Running a cluster in standard mode can quickly become aggravating as the cluster grows in size. Every time you need to make a configuration change, you perform it on each node in the cluster. Domain mode solves this problem by providing a central place to store and publish configurations. It can be quite complex to set up, but it is worth it in the end. This capability is built into the JBoss EAP Application Server which Red Hat Single Sign-On derives from. Script: $RHSSO_HOME/bin/domain.sh Config: $RHSSO_HOME/domain/configuration/domain.xml More info on about Operating modes: https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/server _installation_and_configuration_guide/index#operating-mode
  • 31. RED HAT CONFIDENTIAL IdM Administration Admin Console overview 31
  • 32. RED HAT CONFIDENTIAL ▸ You will need to create an initial admin account. ▸ RH-SSO does not have any configured admin account out of the box. ▸ This account will allow you to create an admin that can log into the master realm’s administration console so that you can start creating realms, users and registering applications to be secured by RH-SSO. Server Initialization 32 $ SSO_HOME/bin/add-user-keycloak.sh -r master -u <username> -p <password>
  • 33. RED HAT CONFIDENTIAL 33 Configure Realms ▸ Create Realms ▸ Modify and configure entities of realms: users, roles and groups, providers (both identities and users) and configure auditing ▸ We recommend that you do not use the ‘master’ realm to manage the users and applications in your organization.
  • 34. RED HAT CONFIDENTIAL Configure Login and Registration Pages Features Configure others User Providers (LDAP, Kerberos or customized ones) for User Federation 34 Configure Realms
  • 35. RED HAT CONFIDENTIAL 35 Configure Identity Providers Add and configure others Identity Providers (OpenID Connect, SAML or Social Login) for Identity Brokering. Two different forms: ▸ SAML ▸ OpenID Connect (include Social Login)
  • 36. RED HAT CONFIDENTIAL ▸ RH-SSO caches as much data as it can from RDBMS using Infinispan. Those 3 caches can be cleared. 36 Configure IdM caches
  • 37. RED HAT CONFIDENTIAL 37 Configure themes settings ▸ One theme per realm ▸ It is recommended create new ones instead of modifying provided ones ▸ I18n is configurable ▸ Custom realm roles can be used in themes
  • 38. RED HAT CONFIDENTIAL 38 Configure Clients and Client Templates ▸ Create and configure Client access for applications ▸ Define templates of clients
  • 39. RED HAT CONFIDENTIAL ▸ RH-SSO has two types of caches. ▸ One type of cache sits in front of the database to decrease load on the DB and to decrease overall response times by keeping data in memory. Realm, client, role, and user metadata is kept in this type of cache. ▸ This cache is a local cache. Local caches do not use replication even if you are in the cluster with more RH-SSO servers. Instead, they only keep copies locally and if the entry is updated an invalidation message is sent to the rest of the cluster and the entry is evicted. ▸ There is separate replicated cache work, which task is to send the invalidation messages to the whole cluster about what entries should be evicted from local caches. ▸ This greatly reduces network traffic, makes things efficient, and avoids transmitting sensitive metadata over the wire. ▸ The second type of cache handles managing user sessions, offline tokens, and keeping track of login failures so that the server can detect password phishing and other attacks. The data held in these caches is temporary, in memory only, but is possibly replicated across the cluster. 39 Server Caches
  • 41. RED HAT CONFIDENTIAL 41 Deployment Diagram https://access.redhat.com/articles/2342881
  • 43. RED HAT CONFIDENTIAL Service Provider Interfaces (SPI) 43
  • 44. RED HAT CONFIDENTIAL 44 Service Provider Interfaces Red Hat Single Sign-On is designed to cover most use-cases without requiring custom code, but we also want it to be customizable. To achieve this Red Hat Single Sign-On has a number of Service Provider Interfaces (SPI) for which you can implement your own providers. 1. Implementing a SPI: you need to implement its ProviderFactory and Provider interfaces. Packaging: .jar, .ear or .war 2. Configuration: You can configure your provider through standalone.xml, standalone-ha.xml, or domain.xml Implementing a SPI: references
  • 45. RED HAT CONFIDENTIAL 45 Service Provider Interfaces a. Red Hat Single Sign-On Deployer: i. If you copy your provider jar file to the Red Hat Single Sign-On standalone/deployments/ directory, your provider will automatically be deployed. ii. Hot deployment works too. iii. jboss-deployment-structure.xml file. This file allows you to set up dependencies on other components and load third-party jars and modules. b. Using Modules: using jboss-cli tool. $ RHSSO_HOME/bin/jboss-cli.sh --command="module add --name=org.acme.provider --resources=target/provider.jar --dependencies=org.keycloak.keycloak-core,org.keycloak.keycloak-server-spi" 3. Registering provider: two ways
  • 46. RED HAT CONFIDENTIAL 46 Service Provider Interfaces 4. Disabling provider: 5. Available SPIs: ‘Server Info’
  • 47. RED HAT CONFIDENTIAL User Federation 47
  • 48. RED HAT CONFIDENTIAL 48 User storage federation ▸ RH-SSO can federate multiple external databases containing users. Most common: LDAP and Active Directory. ▸ But RH-SSO maintains its own identity relational database. ▸ RH-SSO provides an API for creating custom plugins for User federation, the User Storage SPI. You can use the User Storage SPI to write extensions to RH-SSO to connect to external user databases and credential stores.
  • 49. RED HAT CONFIDENTIAL 49 Sequence for users lookup 1. RH-SSO needs to look up an user. 2. Search in ‘users’ cache. If not found, 3. Search in local database. If not found, 4. Loops through User Storage SPI provider implementations to perform the user query until one of them returns the user. RH-SSO always imports users from external providers to its own local storage
  • 50. RED HAT CONFIDENTIAL 50 User federation from LDAP I ▸ LDAP and AD are most common use cases of User Storage Federation in RH-SSO ▸ You can federate more than one LDAP user providers in same Realm ▸ You can map LDAP user attributes into the RH-SSO common user model (mappings). By default, it maps: a. username b. email c. first name d. last name
  • 51. RED HAT CONFIDENTIAL IdM Administration Identity Brokering 51
  • 52. RED HAT CONFIDENTIAL Identity Brokering 52 ▸ An identity Broker can be configured to delegate authentication to one or more IDPs. Social login via Facebook or Google+ is an example of identity provider federation. ▸ An Identity Broker is an intermediary service that connects multiple service providers with different identity providers ▸ An identity provider is usually based on a specific protocol that is used to authenticate and communicate authentication and authorization information to their users.
  • 54. RED HAT CONFIDENTIAL 54 Supported Identity Providers ▸ Can be resumed in SAML, OpenID Connect or Social Login (through OIDC or OAuth2)
  • 56. RED HAT CONFIDENTIAL SAML and OIDC 56 Recommendation: OIDC ▸ Easy to consume identity tokens: JSON Web Token (JWT) ▸ Based on the OAuth 2.0 pseudo protocol: way for Internet users to grant websites or applications access to their information on other websites but without giving them the password ▸ Simpler than other open alternatives: SAML, or closed implementations ▸ Ready both for public or enterprise environments
  • 58. RED HAT CONFIDENTIAL 58 Managing OIDC clients Access Types ▸ confidential: server-side clients that need to perform a browser login and require a client secret when they turn an access code into an access token (see Access Token Request in the OAuth 2.0 spec for more details). This type should be used for server-side applications. ▸ public: For client-side clients that need to perform a browser login. With a client-side application there is no way to keep a secret safe. Instead it is very important to restrict access by configuring correct redirect URIs for the client. ▸ bearer-only: Bearer-only access type means that the application only allows bearer token requests. If this is turned on, this application cannot participate in browser logins. 'Bearer-only' clients are web services that never initiate a login.
  • 60. RED HAT CONFIDENTIAL 60 Realm Level Roles ▸ Roles identify a type or category of user. Admin, user, manager and employee are all typical roles that may exist in an organization. Applications often assign access and permissions to specific roles ▸ Realm roles are a global namespace to define roles
  • 61. RED HAT CONFIDENTIAL 61 Client Level Roles ▸ One for each client
  • 62. RED HAT CONFIDENTIAL ▸ Any realm or client level role can be turned into a composite role. A composite role is a role that has one or more additional roles associated with it ▸ Users with a granted composited role get permissions from all involved roles 62 Composite Roles
  • 63. RED HAT CONFIDENTIAL 63 Composite Roles vs Groups ▸ Use groups to manage users. ▸ Use composite roles to manage applications and services. Default Roles ▸ Are roles automatically assigned to new users when first time login
  • 65. RED HAT CONFIDENTIAL ▸ Login Events - Login events occur for things like when a user logs in successfully, when somebody enters in a bad password, or when a user account is updated. ▸ Admin Events - Any action an admin performs within the admin console can be recorded for auditing purposes. ▸ Listener SPI - There is also a Listener SPI with which plugins can listen for these events and perform some action. Built-in listeners include a simple log file and the ability to send an email if an event occurs. ▸ By default, no events are stored or viewed in the Admin Console. Only error events are logged to the console and the server’s log file. ▸ Events are saved to Database. They have to expire !! . The Expiration field allows you to specify how long you want to keep events stored. 65 Auditing Capabilities
  • 66. RED HAT CONFIDENTIAL 66 Login Events ▸ Login Events ▸ Account Events
  • 68. RED HAT CONFIDENTIAL Admin Console Web ● The bulk of your administrative tasks will be done through the Red Hat Single Sign-On Admin Console. You can go to the console url directly at http://server:port/auth/admin/ ● Enter the username and password you created on the Welcome Page or the add-user-keycloak script in the bin directory. This will bring you to the RH-SSO Admin Console. 68
  • 69. RED HAT CONFIDENTIAL kcadm ● The Admin CLI is packaged inside RH-SSO Server distribution. You can find execution scripts inside the bin directory. $KEYCLOAK_HOME/bin/kcadm.sh . ● Full administration from command line. ● Makes HTTP request to Admin REST endpoints ● Reference $ kcadm.sh create clients -r demorealm -s clientId=myapp -s enabled=true $ kcadm.sh get clients -r demorealm --fields id,clientId $ kcadm.sh create realms -f demorealm.json $ kcadm.sh config credentials --server http://localhost:8080/auth --realm demo --user admin --client admin Command Line Interface Tool 69
  • 70. RED HAT CONFIDENTIAL 70 Admin REST API ● To invoke the API you need to obtain an access token with the appropriate permissions. ● Obtain access token for user in the realm master with username admin and password password: ● By default this token expires in 1 minute ● The result will be a JSON document. To invoke the API you need to extract the value of the access_token property. You can then invoke the API by including the value in the Authorization header of requests to the API. curl -d "client_id=admin-cli" -d "username=admin" -d "password=password" -d "grant_type=password" "http://localhost:8080/auth/realms/master/protocol/openid-connect/token" curl -H "Authorization: bearer eyJhbGciOiJSUz..." "http://localhost:8080/auth/admin/realms/master"
  • 71. RED HAT CONFIDENTIAL RH-SSO on OpenShift 71
  • 72. RED HAT CONFIDENTIAL 72 - Operator: https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/server_i nstallation_and_configuration_guide/operator - Templates + Image Streams https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/re d_hat_single_sign-on_for_openshift/index#image-streams-applications-templates Deployment options
  • 74. RED HAT CONFIDENTIAL 74 OpenShift Templates + Image Streams 1. Using CLI ● To deploy new applications, it is recommended to use the latest version of the RH-SSO for OpenShift image along with the application templates specific to these image versions. ● Templates: ● Image Stream: Source: https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/red_hat_single_sign-on_for_openshift/index#ima ge-streams-applications-templates $ oc -n openshift import-image rh-sso-7/sso76-openshift-rhel8:7.6 --from=registry.redhat.io/rh-sso-7/sso76-openshift-rhel8:7.6 --confirm
  • 75. RED HAT CONFIDENTIAL 75 OpenShift Templates + Image Streams Deployment: oc new-app --template=sso76-x509-https $ oc new-app --template=sso76-x509-https --> Deploying template "openshift/sso76-x509-https" to project sso-app-demo Red Hat Single Sign-On 7.6 (Ephemeral) --------- An example Red Hat Single Sign-On 7 application. For more information about using this template, see <link xlink:href="https://github.com/jboss-openshift/application-templates">https://github.com/jboss-openshift/application-templates</link>. A new Red Hat Single Sign-On service has been created in your project. The admin username/password for accessing the master realm using the Red Hat Single Sign-On console is IACfQO8v/nR7llVSVb4Dye3TNRbXoXhRpAKTmiCRc. The HTTPS keystore used for serving secure content, the JGroups keystore used for securing JGroups communications, and server truststore used for securing Red Hat Single Sign-On requests were automatically created using OpenShift's service serving x509 certificate secrets. * With parameters: * Application Name=sso ... --> Creating resources ... service "sso" created service "secure-sso" created service "sso-ping" created route "sso" created route "secure-sso" created deploymentconfig "sso" created --> Success Run 'oc status' to view your app.
  • 76. RED HAT CONFIDENTIAL 76 OpenShift Templates + Image Streams Deployment
  • 77. RED HAT CONFIDENTIAL 77 OpenShift Templates + Image Streams Admin Console Acces to RH-SSO Admin Console: https://sso-rh-sso.apps.cluster-5mn2f.5mn2f.sandbox364.opentlc.com/auth/ $ oc get routes NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD sso sso-rh-sso.apps.cluster-5mn2f.5mn2f.sandbox364.opentlc.com sso <all> reencrypt None Provide the login credentials for the administrator account.
  • 78. RED HAT CONFIDENTIAL 78 OpenShift Templates + Image Streams 2. Using Web Console: Source: https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/red_hat_single_sign-on_for_openshift/index#depl oy4x On the left sidebar, click the Administrator tab and then click </> Developer, then ‘From Catalog’
  • 79. RED HAT CONFIDENTIAL 79 OpenShift Templates + Image Streams 2. Using Web Console: Search SSO, chose a template and click Instantiate Template
  • 80. RED HAT CONFIDENTIAL 80 RH-SSO on OpenShift Stop & Start pod ● When RHSSO is running an simple way to stop it is scaling down to 0 instances (replicas) ○ oc scale (scale to 0) ● To start again, set replicas=1 (or more) ● Restart: ○ oc delete (will delete current RHSSO pod and create a new instance) $ oc delete pod <pod_name> Example: $ oc delete pod rh-sso-2-q8dw9 $ oc scale dc/<deploymentconfig_name> --replicas=0 Example: $ oc scale dc/rh-sso --replicas=0
  • 81. RED HAT CONFIDENTIAL 81 RH-SSO on OpenShift Stop & Start pod ● Stopping from OpenShift Web Console. Select: Developer → Click on RHSSO app → Select the DC ○ In the Details tab, click the down-arrow next to the pod circle to scale it to 0. This effectively removes all running pods.
  • 82. RED HAT CONFIDENTIAL 82 $ oc get pods | grep Running HA: Cluster RH-SSO on OpenShift $ oc scale dc/sso --replicas=2
  • 83. RED HAT CONFIDENTIAL 83 $ oc scale dc/sso --replicas=1 Scaling down Node leaves the cluster $ oc get pods | grep Running RH-SSO on OpenShift
  • 84. RED HAT CONFIDENTIAL Settings - Configuration file: /opt/eap/standalone/configuration/standalone-openshift.xml 84 RH-SSO on OpenShift
  • 85. RED HAT CONFIDENTIAL Tool: jboss-cli => $HOME_JBOSS/bin/jboss-cli -c :read-resource (show full settings) /subsystem=logging/root-logger=ROOT: read-attribute(name=level) Update: /subsystem=logging/root-logger=ROOT:write-attribute(name=level, value="DEBUG") 85 RH-SSO on OpenShift
  • 86. RED HAT CONFIDENTIAL - Environment variables: oc rsh $pod_name 86 Configuration
  • 88. RED HAT CONFIDENTIAL Thank you! plus.google.com/+RedHat linkedin.com/company/red-hat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHat 88 LinkedIn: https://www.linkedin.com/in/jvherrera/ Twitter: https://twitter.com/jvicenteherrera Email: juanvi@redhat.com