This document discusses using Keycloak for single sign-on. Keycloak is an open source identity and access management solution that supports OpenID Connect and SAML for authentication. It provides a centralized way for users to log in once and access multiple applications securely. Keycloak acts as an identity provider and issues short-lived access tokens to applications while preventing passwords from being shared directly. It also supports advanced features like user federation, monitoring, and operations.

1. Single Sign On with Keycloak
Julien Pivotto (@roidelapluie)
OSDC 2019
May 14th, 2019

2. @roidelapluie
I like Open Source
I like monitoring
I like automation
... and all of that is my daily job at inuits

3. inuits

4. Creative Commons Attribution 2.0
https://www.flickr.com/photos/30478819@N08/41858933990

5. Passwords for work (reality)
1 password for the "big company mail"
1 password for the "local service"
1 password to log in at customer
3 passwords to legacy service X Y and Z

7. Where passwords stay
LDAP / AD database
Plain text file
Database (hashed/salted?)
All kind of password managers

8. Where passwords go
End applications often know the password
Basic auth + http between frontend and
backend
LDAP app: bind with your user

11. Why passwords
Simple
Legacy
?

12. Is there anything else?
PKI
2FA
Federation/SSO

13. Meanwhile...
Creative Commons Attribution 2.0 https://www.flickr.com/photos/ednawinti/25718417460/

14. Modern Security
requirements
(thanks GDPR)
Log all the access
Principle of least privilege
Revoking access
2FA

15. Creative Commons Attribution-ShareAlike 2.0
https://www.flickr.com/photos/doctorow/15507274056

16. IAM (simplified)
Identity: who am I
Access: what can I do
For people, machines, apps...

17. OpenID Connect
Standard for authentication and authorization
Based around signed tokens
Adopted by major actors (public & private)

26. Access token / Refresh token
Access token grants access to ressources
Refresh token allows user to renew the access
token

27. What are claims?
Who you are
What you can do (groups, roles, ...)
No need to register in the your app first!

28. How is that "more" secure?
Password goes to a single app (idp)
Only claims get out of the idp
End application does not have your password
Token has short expiry
Keycloak allows easy audit and centralize
advanced auth mechanism

29. Well known
https://accounts.google.com/.well-
known/openid-configuration
https://gitlab.com/.well-known/openid-
configuration

31. A Red Hat Open Source project
Identity and Access management
OpenID Connect support (but also saml 2.0)

32. What is Keycloak really
A java app
A Wildfly application server
(comes as a single package - batteries
included!)

34. Terminology
Realm: set of users, roles, clients, and groups
Client: a client application that will use
keycloak to authenticate users
idp: Identity Provider

37. Keycloak Gatekeeper
Not all applications support OpenID connect
Gatekeeper is a OIDC compatible reverse proxy

38. Identity Providers
Login with external sources (github, google,
gitlab, $COMPANY...)
Get claims back from them

40. User federation
Connect Keycloak with LDAP, freeipa, kerberos...

41. Operations
Creative Commons Zero https://www.flickr.com/photos/freestocks/25668265836

42. Configuration
API
kcadm.sh
terraform provider

43. ./bin/kcadm.sh config credentials
--server http://localhost:8080/auth
--realm master --user admin

44. ./bin/kcadm.sh get users -r example

45. Data
Default to H2 (file database)
Pick something else for more availability

46. Audit
Enable auditing in DB
Log to file

47. <size-rotating-file-handler name="EVENTLOG"
autoflush="true">
<formatter>
<named-formatter name="json-formatter"/>
</formatter>
<file relative-to="jboss.server.log.dir"
path="events.log"/>
<rotate-size value="10M"/>
<max-backup-index value="5"/>
<append value="true"/>
</size-rotating-file-handler>

48. <logger category="org.keycloak.events">
<level name="DEBUG"/>
<handlers>
<handler name="EVENTLOG"/>
</handlers>
</logger>

49. <formatter name="json-formatter">
<json-formatter/>
</formatter>

50. <spi name="eventsListener">
<provider name="jboss-logging"
enabled="true">
<properties>
<property name="success-level"
value="info"/>
<property name="error-level"
value="warn"/>
</properties>
</provider>
</spi>

51. Monitoring
Prometheus JMX exporter
Mtail

52. mtail
counter keycloak_events by type, realm
/"message":"type=(?P<type>[^,]+),
realmId=(?P<realm>[^,]+),/ {
keycloak_events[$type][$realm]++
}

53. Going further
Creative Commons Attribution 2.0 https://www.flickr.com/photos/janitors/15795816662/

55. Vault + Keycloak
Issue short lived credentials for many backends
Secured by Keycloak/OpenID Connect

57. Extra notes
Creative Commons Attribution-ShareAlike 2.0 https://www.flickr.com/photos/grungepunk/13994397991

58. Apps are reponsible
Validate the token
Authorize, based on the claims

59. Keycloak is business critical
You introduce a unique login point
Think automation, DRP, backups, HA

60. The "master" realm is all
Secure it
Don't use master password!
Don't reuse it

61. Open Source clients
Keycloak gatekeeper
mod_auth_openidc
gitlab
vault
open distro for elasticsearch
grafana (oauth)

62. Public OIDC providers
Belgium: FAS (federal authentication service)
[+ itsme (private)]
France Connect

63. Open Source alternatives
Gitlab
Dex - https://github.com/dexidp/dex

64. Conclusion
Single Sign On makes everyones life easier
OpenID Connect is widespread
Keycloak is batteries-included (OIDC/SAML)

65. Julien Pivotto
roidelapluie
roidelapluie@inuits.eu
Inuits
https://inuits.eu
info@inuits.eu
Contact