Single sign-on like the big guys
Authenticate Anything
Once your set of internal applications grows greater than an order of 10s, you can end up in a scenario where credentials storage for each service gets out of control. Users might start complaining about how difficult it is to handle multiple passwords, and your day could turn into a password reset ticket nightmare. If you wonder whether a single sign-on (SSO) experience à la Google and Amazon is possible, even at a smaller scale, the answer is "Yes"! Keycloak can do exactly that.
A comprehensive administration introduction to Keycloak appeared previously in ADMIN [1], so in this article you will travel through the other end of the spectrum: How to enable your application with proper SSO, with or without writing code.
The Keycloak Project
Keycloak is a mature free and open source software (FOSS) project whose first production release goes back to the year 2014 [2]. It's largely funded and developed by Red Hat, and it is the software on which their SSO commercial offering is based. The tool's goal is to provide a modern and secure SSO experience for any application on the basis of either the OIDC or SAML framework (see the "OIDC vs. SAML" box).
OIDC vs. SAML
OpenID Connect (OIDC) is the only authentication framework used in this article, although Security Assertion Markup Language (SAML) is widely used and supported, especially in the Enterprise segment. The choice usually falls on OIDC because of its increasing popularity, lightness, and simplifications like data exchange by JSON instead of XML.
Until version 16, inclusive, Keycloak ran on top of the WildFly application server (formerly JBoss). Since version 17, however, the project has shifted to Quarkus, breaking some configurations but gaining in performance and general lightness.
SSO Benefits
You have surely dealt with at least one user management application, the most famous of which is Microsoft Active Directory (see the "User Brokering" box). Moreover, you might have run into independent applications that run their own user databases. With SSO, you can reduce the complexity of working with these applications. The major benefits are:
- Managing your users all in one place
- Applications won't need to store user data or passwords
- Applications will benefit from password management or two-factor authentication out of the box
User Brokering
If Active Directory is where you store your user backend, or you want to set up alternative social logins for your users, Keycloak can act as an authentication broker connected to either LDAP/Kerberos or other SAML/OIDC identity providers. If configured in this way, it will check your credentials against a third party before allowing the underlying application to be accessed.
Getting Started
To begin, you will deploy a Keycloak instance with the official Docker image (see the "Get Docker-Ready" box). The application will be exposed on port 8080 and will use an ad hoc Postgres instance for its data and configuration storage (Listing 1).
Listing 1
Deploying Keycloak
01 version: '2.4' 02 services: 03 keycloak: 04 container_name: keycloak 05 image: quay.io/keycloak/keycloak:17.0.1 06 ports: 07 - 8080:8080 08 environment: 09 - KEYCLOAK_ADMIN=admin 10 - KEYCLOAK_ADMIN_PASSWORD=SOME_PASSWORD 11 - KC_DB=postgres 12 - KC_DB_URL=jdbc:postgresql://postgres:5432/keycloak 13 - KC_DB_USERNAME=postgres 14 - KC_DB_PASSWORD=SOME_DB_PASSWORD 15 command: ["start-dev"] 16 17 postgres: 18 container_name: postgres 19 image: postgres:14 20 environment: 21 - POSTGRES_PASSWORD=SOME_DB_PASSWORD 22 - POSTGRES_DB=keycloak 23 - PGDATA=/var/lib/postgresql/data/pgdata 24 volumes: 25 - pgdata:/var/lib/postgresql/data/pgdata 26 27 volumes: 28 pgdata:
Get Docker-Ready
Throughout the article, I make use of Docker to spin up services quickly and without installing unnecessary packages. To do so, the Docker engine installation is required, which can be accomplished with the one-liner:
# curl -sSL https://get.docker.com | sudo bash -
This command fetches the latest official installation script, detects which Linux distribution you're running, adds the proper package manager repositories, and installs the engine.
Make sure, though, as a conscientious admin, to check the content of a script every time you plan to pipe it directly to sudo bash
.
Once the docker-compose.yml
file is ready, start the service by typing
docker-compose up -d
After the startup phase is complete, you reach the Keycloak admin interface on http://localhost:8080 .
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.