![mtail
counter keycloak_events by type, realm
/"message":"type=(?P<type>[^,]+),
realmId=(?P<realm>[^,]+),/ {
keycloak_events[$type][$realm]++
}](https://image.slidesharecdn.com/osdc2019b-190515203809/75/single-sign-on-with-keycloak-52-2048.jpg?cb=1666660918)
![Public OIDC providers
Belgium: FAS (federal authentication service)
[+ itsme (private)]
France Connect](https://image.slidesharecdn.com/osdc2019b-190515203809/75/single-sign-on-with-keycloak-62-2048.jpg?cb=1666660918)
SIngle Sign On with Keycloak
•14 likes•10,016 views
Report
Share
Download to read offline
Talk given at Open Source Datacenter Conference 2019 about open source iam with Keycloak, a red hat project around OpenID Connect and Saml 2.0
More Related Content
What's hot
What's hot(20)
Similar to SIngle Sign On with Keycloak
Similar to SIngle Sign On with Keycloak(20)
More from Julien Pivotto
More from Julien Pivotto(20)
Recently uploaded
Recently uploaded(20)
SIngle Sign On with Keycloak
- 1. Single Sign On with Keycloak Julien Pivotto (@roidelapluie) OSDC 2019 May 14th, 2019
- 2. @roidelapluie I like Open Source I like monitoring I like automation ... and all of that is my daily job at inuits
- 3. inuits
- 4. Creative Commons Attribution 2.0 https://www.flickr.com/photos/30478819@N08/41858933990
- 5. Passwords for work (reality) 1 password for the "big company mail" 1 password for the "local service" 1 password to log in at customer 3 passwords to legacy service X Y and Z
- 7. Where passwords stay LDAP / AD database Plain text file Database (hashed/salted?) All kind of password managers
- 8. Where passwords go End applications often know the password Basic auth + http between frontend and backend LDAP app: bind with your user
- 12. Is there anything else? PKI 2FA Federation/SSO
- 13. Meanwhile... Creative Commons Attribution 2.0 https://www.flickr.com/photos/ednawinti/25718417460/
- 14. Modern Security requirements (thanks GDPR) Log all the access Principle of least privilege Revoking access 2FA
- 15. Creative Commons Attribution-ShareAlike 2.0 https://www.flickr.com/photos/doctorow/15507274056
- 16. IAM (simplified) Identity: who am I Access: what can I do For people, machines, apps...
- 17. OpenID Connect Standard for authentication and authorization Based around signed tokens Adopted by major actors (public & private)
- 26. Access token / Refresh token Access token grants access to ressources Refresh token allows user to renew the access token
- 27. What are claims? Who you are What you can do (groups, roles, ...) No need to register in the your app first!
- 28. How is that "more" secure? Password goes to a single app (idp) Only claims get out of the idp End application does not have your password Token has short expiry Keycloak allows easy audit and centralize advanced auth mechanism
- 31. A Red Hat Open Source project Identity and Access management OpenID Connect support (but also saml 2.0)
- 32. What is Keycloak really A java app A Wildfly application server (comes as a single package - batteries included!)
- 34. Terminology Realm: set of users, roles, clients, and groups Client: a client application that will use keycloak to authenticate users idp: Identity Provider
- 37. Keycloak Gatekeeper Not all applications support OpenID connect Gatekeeper is a OIDC compatible reverse proxy
- 38. Identity Providers Login with external sources (github, google, gitlab, $COMPANY...) Get claims back from them
- 40. User federation Connect Keycloak with LDAP, freeipa, kerberos...
- 41. Operations Creative Commons Zero https://www.flickr.com/photos/freestocks/25668265836
- 43. ./bin/kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin
- 44. ./bin/kcadm.sh get users -r example
- 45. Data Default to H2 (file database) Pick something else for more availability
- 46. Audit Enable auditing in DB Log to file
- 47. <size-rotating-file-handler name="EVENTLOG" autoflush="true"> <formatter> <named-formatter name="json-formatter"/> </formatter> <file relative-to="jboss.server.log.dir" path="events.log"/> <rotate-size value="10M"/> <max-backup-index value="5"/> <append value="true"/> </size-rotating-file-handler>
- 48. <logger category="org.keycloak.events"> <level name="DEBUG"/> <handlers> <handler name="EVENTLOG"/> </handlers> </logger>
- 50. <spi name="eventsListener"> <provider name="jboss-logging" enabled="true"> <properties> <property name="success-level" value="info"/> <property name="error-level" value="warn"/> </properties> </provider> </spi>
- 52. mtail counter keycloak_events by type, realm /"message":"type=(?P<type>[^,]+), realmId=(?P<realm>[^,]+),/ { keycloak_events[$type][$realm]++ }
- 53. Going further Creative Commons Attribution 2.0 https://www.flickr.com/photos/janitors/15795816662/
- 55. Vault + Keycloak Issue short lived credentials for many backends Secured by Keycloak/OpenID Connect
- 57. Extra notes Creative Commons Attribution-ShareAlike 2.0 https://www.flickr.com/photos/grungepunk/13994397991
- 58. Apps are reponsible Validate the token Authorize, based on the claims
- 59. Keycloak is business critical You introduce a unique login point Think automation, DRP, backups, HA
- 60. The "master" realm is all Secure it Don't use master password! Don't reuse it
- 61. Open Source clients Keycloak gatekeeper mod_auth_openidc gitlab vault open distro for elasticsearch grafana (oauth)
- 62. Public OIDC providers Belgium: FAS (federal authentication service) [+ itsme (private)] France Connect
- 63. Open Source alternatives Gitlab Dex - https://github.com/dexidp/dex
- 64. Conclusion Single Sign On makes everyones life easier OpenID Connect is widespread Keycloak is batteries-included (OIDC/SAML)