Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SIngle Sign On with Keycloak

1,855 views

Published on

Talk given at Open Source Datacenter Conference 2019 about open source iam with Keycloak, a red hat project around OpenID Connect and Saml 2.0

Published in: Technology
  • Be the first to comment

SIngle Sign On with Keycloak

  1. 1. Single Sign On with Keycloak Julien Pivotto (@roidelapluie) OSDC 2019 May 14th, 2019
  2. 2. @roidelapluie I like Open Source I like monitoring I like automation ... and all of that is my daily job at inuits
  3. 3. inuits
  4. 4. Creative Commons Attribution 2.0 https://www.flickr.com/photos/30478819@N08/41858933990
  5. 5. Passwords for work (reality) 1 password for the "big company mail" 1 password for the "local service" 1 password to log in at customer 3 passwords to legacy service X Y and Z
  6. 6. Where passwords stay LDAP / AD database Plain text file Database (hashed/salted?) All kind of password managers
  7. 7. Where passwords go End applications often know the password Basic auth + http between frontend and backend LDAP app: bind with your user
  8. 8. Why passwords Simple Legacy ?
  9. 9. Is there anything else? PKI 2FA Federation/SSO
  10. 10. Meanwhile... Creative Commons Attribution 2.0 https://www.flickr.com/photos/ednawinti/25718417460/
  11. 11. Modern Security requirements (thanks GDPR) Log all the access Principle of least privilege Revoking access 2FA
  12. 12. Creative Commons Attribution-ShareAlike 2.0 https://www.flickr.com/photos/doctorow/15507274056
  13. 13. IAM (simplified) Identity: who am I Access: what can I do For people, machines, apps...
  14. 14. OpenID Connect Standard for authentication and authorization Based around signed tokens Adopted by major actors (public & private)
  15. 15. Access token / Refresh token Access token grants access to ressources Refresh token allows user to renew the access token
  16. 16. What are claims? Who you are What you can do (groups, roles, ...) No need to register in the your app first!
  17. 17. How is that "more" secure? Password goes to a single app (idp) Only claims get out of the idp End application does not have your password Token has short expiry Keycloak allows easy audit and centralize advanced auth mechanism
  18. 18. Well known https://accounts.google.com/.well- known/openid-configuration https://gitlab.com/.well-known/openid- configuration
  19. 19. A Red Hat Open Source project Identity and Access management OpenID Connect support (but also saml 2.0)
  20. 20. What is Keycloak really A java app A Wildfly application server (comes as a single package - batteries included!)
  21. 21. Terminology Realm: set of users, roles, clients, and groups Client: a client application that will use keycloak to authenticate users idp: Identity Provider
  22. 22. Keycloak Gatekeeper Not all applications support OpenID connect Gatekeeper is a OIDC compatible reverse proxy
  23. 23. Identity Providers Login with external sources (github, google, gitlab, $COMPANY...) Get claims back from them
  24. 24. User federation Connect Keycloak with LDAP, freeipa, kerberos...
  25. 25. Operations Creative Commons Zero https://www.flickr.com/photos/freestocks/25668265836
  26. 26. Configuration API kcadm.sh terraform provider
  27. 27. ./bin/kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin
  28. 28. ./bin/kcadm.sh get users -r example
  29. 29. Data Default to H2 (file database) Pick something else for more availability
  30. 30. Audit Enable auditing in DB Log to file
  31. 31. <size-rotating-file-handler name="EVENTLOG" autoflush="true"> <formatter> <named-formatter name="json-formatter"/> </formatter> <file relative-to="jboss.server.log.dir" path="events.log"/> <rotate-size value="10M"/> <max-backup-index value="5"/> <append value="true"/> </size-rotating-file-handler>
  32. 32. <logger category="org.keycloak.events"> <level name="DEBUG"/> <handlers> <handler name="EVENTLOG"/> </handlers> </logger>
  33. 33. <formatter name="json-formatter"> <json-formatter/> </formatter>
  34. 34. <spi name="eventsListener"> <provider name="jboss-logging" enabled="true"> <properties> <property name="success-level" value="info"/> <property name="error-level" value="warn"/> </properties> </provider> </spi>
  35. 35. Monitoring Prometheus JMX exporter Mtail
  36. 36. mtail counter keycloak_events by type, realm /"message":"type=(?P<type>[^,]+), realmId=(?P<realm>[^,]+),/ { keycloak_events[$type][$realm]++ }
  37. 37. Going further Creative Commons Attribution 2.0 https://www.flickr.com/photos/janitors/15795816662/
  38. 38. Vault + Keycloak Issue short lived credentials for many backends Secured by Keycloak/OpenID Connect
  39. 39. Extra notes Creative Commons Attribution-ShareAlike 2.0 https://www.flickr.com/photos/grungepunk/13994397991
  40. 40. Apps are reponsible Validate the token Authorize, based on the claims
  41. 41. Keycloak is business critical You introduce a unique login point Think automation, DRP, backups, HA
  42. 42. The "master" realm is all Secure it Don't use master password! Don't reuse it
  43. 43. Open Source clients Keycloak gatekeeper mod_auth_openidc gitlab vault open distro for elasticsearch grafana (oauth)
  44. 44. Public OIDC providers Belgium: FAS (federal authentication service) [+ itsme (private)] France Connect
  45. 45. Open Source alternatives Gitlab Dex - https://github.com/dexidp/dex
  46. 46. Conclusion Single Sign On makes everyones life easier OpenID Connect is widespread Keycloak is batteries-included (OIDC/SAML)
  47. 47. Julien Pivotto roidelapluie roidelapluie@inuits.eu Inuits https://inuits.eu info@inuits.eu Contact

×