Lead Image © Sergey Nivens, 123RF.com

Lead Image © Sergey Nivens, 123RF.com

Single sign-on like the big guys

Authenticate Anything

Article from ADMIN 69/2022
By
Keycloak is a robust and mature project that provides a modern single sign-on authorization experience and centralized authentication of your apps.

Once your set of internal applications grows greater than an order of 10s, you can end up in a scenario where credentials storage for each service gets out of control. Users might start complaining about how difficult it is to handle multiple passwords, and your day could turn into a password reset ticket nightmare. If you wonder whether a single sign-on (SSO) experience à la Google and Amazon is possible, even at a smaller scale, the answer is "Yes"! Keycloak can do exactly that.

A comprehensive administration introduction to Keycloak appeared previously in ADMIN [1], so in this article you will travel through the other end of the spectrum: How to enable your application with proper SSO, with or without writing code.

The Keycloak Project

Keycloak is a mature free and open source software (FOSS) project whose first production release goes back to the year 2014 [2]. It's largely funded and developed by Red Hat, and it is the software on which their SSO commercial offering is based. The tool's goal is to provide a modern and secure SSO experience for any application on the basis of either the OIDC or SAML framework (see the "OIDC vs. SAML" box).

OIDC vs. SAML

OpenID Connect (OIDC) is the only authentication framework used in this article, although Security Assertion Markup Language (SAML) is widely used and supported, especially in the Enterprise segment. The choice usually falls on OIDC because of its increasing popularity, lightness, and simplifications like data exchange by JSON instead of XML.

Until version 16, inclusive, Keycloak ran on top of the WildFly application server (formerly JBoss). Since version 17, however, the project has shifted to Quarkus, breaking some configurations but gaining in performance and general lightness.

SSO Benefits

You have surely dealt with at least one user management application, the most famous of which is Microsoft Active Directory (see the "User Brokering" box). Moreover, you might have run into independent applications that run their own user databases. With SSO, you can reduce the complexity of working with these applications. The major benefits are:

  • Managing your users all in one place
  • Applications won't need to store user data or passwords
  • Applications will benefit from password management or two-factor authentication out of the box

User Brokering

If Active Directory is where you store your user backend, or you want to set up alternative social logins for your users, Keycloak can act as an authentication broker connected to either LDAP/Kerberos or other SAML/OIDC identity providers. If configured in this way, it will check your credentials against a third party before allowing the underlying application to be accessed.

Getting Started

To begin, you will deploy a Keycloak instance with the official Docker image (see the "Get Docker-Ready" box). The application will be exposed on port 8080 and will use an ad hoc Postgres instance for its data and configuration storage (Listing 1).

Listing 1

Deploying Keycloak

01 version: '2.4'
02 services:
03    keycloak:
04        container_name: keycloak
05        image: quay.io/keycloak/keycloak:17.0.1
06        ports:
07         - 8080:8080
08        environment:
09          - KEYCLOAK_ADMIN=admin
10          - KEYCLOAK_ADMIN_PASSWORD=SOME_PASSWORD
11          - KC_DB=postgres
12          - KC_DB_URL=jdbc:postgresql://postgres:5432/keycloak
13          - KC_DB_USERNAME=postgres
14          - KC_DB_PASSWORD=SOME_DB_PASSWORD
15        command: ["start-dev"]
16
17    postgres:
18        container_name: postgres
19        image: postgres:14
20        environment:
21            - POSTGRES_PASSWORD=SOME_DB_PASSWORD
22            - POSTGRES_DB=keycloak
23            - PGDATA=/var/lib/postgresql/data/pgdata
24        volumes:
25            - pgdata:/var/lib/postgresql/data/pgdata
26
27 volumes:
28    pgdata:

Get Docker-Ready

Throughout the article, I make use of Docker to spin up services quickly and without installing unnecessary packages. To do so, the Docker engine installation is required, which can be accomplished with the one-liner:

# curl -sSL https://get.docker.com | sudo bash -

This command fetches the latest official installation script, detects which Linux distribution you're running, adds the proper package manager repositories, and installs the engine.

Make sure, though, as a conscientious admin, to check the content of a script every time you plan to pipe it directly to sudo bash.

Once the docker-compose.yml file is ready, start the service by typing

docker-compose up -d

After the startup phase is complete, you reach the Keycloak admin interface on http://localhost:8080 .

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Single sign-on with Keycloak
    Google and Facebook are two of the biggest providers for single sign-on on the web, with OAuth2 and OpenID, but if you don't want to put your customers' or employees' data in their hands, Red Hat's Keycloak software lets you run your own operations with the option of integrating existing Kerberos or LDAP accounts.
  • Registry for Docker images
    Running your own registry for Docker images is not difficult. We'll show you how to get started using the free docker_auth software.
  • Azure AD with Conditional Access
    Trust is good, but controls are better. As more flexible working models become widespread, the boundaries of the classic perimeter are blurring and softening existing models of trust for adopting cloud software and data storage or running domain controllers or core applications in the cloud.
  • Secure and seamless server access
    The powerful Cloudflare Tunnel provides secure and seamless access to servers and applications, making it a convenient alternative to VPN for any modern IT infrastructure.
comments powered by Disqus