Lead Image © Sergey Nivens, 123RF.com
Single sign-on like the big guys
Authenticate Anything
Once your set of internal applications grows greater than an order of 10s, you can end up in a scenario where credentials storage for each service gets out of control. Users might start complaining about how difficult it is to handle multiple passwords, and your day could turn into a password reset ticket nightmare. If you wonder whether a single sign-on (SSO) experience à la Google and Amazon is possible, even at a smaller scale, the answer is "Yes"! Keycloak can do exactly that.
A comprehensive administration introduction to Keycloak appeared previously in ADMIN [1], so in this article you will travel through the other end of the spectrum: How to enable your application with proper SSO, with or without writing code.
The Keycloak Project
Keycloak is a mature free and open source software (FOSS) project whose first production release goes back to the year 2014 [2]. It's largely funded and developed by Red Hat, and it is the software on which their SSO commercial offering is based. The tool's goal is to provide a modern and secure SSO experience for any application on the basis of either the OIDC or SAML framework (see the "OIDC vs. SAML" box).
OIDC vs. SAML
OpenID Connect (OIDC) is the only authentication framework used in this article, although Security Assertion Markup Language (SAML) is widely used and supported, especially in the Enterprise segment. The choice usually falls on OIDC because of its increasing popularity, lightness, and simplifications like data exchange by JSON instead of XML.
Until version 16, inclusive, Keycloak ran on top of the WildFly application server (formerly JBoss). Since version 17, however, the project has shifted to Quarkus, breaking some configurations but gaining in performance and general lightness.
SSO Benefits
You have surely dealt with at least one user management application, the most famous of which is Microsoft Active Directory (see the "User Brokering" box). Moreover, you might have run into independent applications that run their own user databases. With SSO, you can reduce the complexity of working with these applications. The major benefits are:
- Managing your users all in one place
- Applications won't need to store user data or passwords
- Applications will benefit from password management or two-factor authentication out of the box
User Brokering
If Active Directory is where you store your user backend, or you want to set up alternative social logins for your users, Keycloak can act as an authentication broker connected to either LDAP/Kerberos or other SAML/OIDC identity providers. If configured in this way, it will check your credentials against a third party before allowing the underlying application to be accessed.
Getting Started
To begin, you will deploy a Keycloak instance with the official Docker image (see the "Get Docker-Ready" box). The application will be exposed on port 8080 and will use an ad hoc Postgres instance for its data and configuration storage (Listing 1).
Listing 1
Deploying Keycloak
01 version: '2.4' 02 services: 03 keycloak: 04 container_name: keycloak 05 image: quay.io/keycloak/keycloak:17.0.1 06 ports: 07 - 8080:8080 08 environment: 09 - KEYCLOAK_ADMIN=admin 10 - KEYCLOAK_ADMIN_PASSWORD=SOME_PASSWORD 11 - KC_DB=postgres 12 - KC_DB_URL=jdbc:postgresql://postgres:5432/keycloak 13 - KC_DB_USERNAME=postgres 14 - KC_DB_PASSWORD=SOME_DB_PASSWORD 15 command: ["start-dev"] 16 17 postgres: 18 container_name: postgres 19 image: postgres:14 20 environment: 21 - POSTGRES_PASSWORD=SOME_DB_PASSWORD 22 - POSTGRES_DB=keycloak 23 - PGDATA=/var/lib/postgresql/data/pgdata 24 volumes: 25 - pgdata:/var/lib/postgresql/data/pgdata 26 27 volumes: 28 pgdata:
Get Docker-Ready
Throughout the article, I make use of Docker to spin up services quickly and without installing unnecessary packages. To do so, the Docker engine installation is required, which can be accomplished with the one-liner:
# curl -sSL https://get.docker.com | sudo bash -
This command fetches the latest official installation script, detects which Linux distribution you're running, adds the proper package manager repositories, and installs the engine.
Make sure, though, as a conscientious admin, to check the content of a script every time you plan to pipe it directly to sudo bash.
Once the docker-compose.yml file is ready, start the service by typing
docker-compose up -d
After the startup phase is complete, you reach the Keycloak admin interface on http://localhost:8080 .
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Single sign-on with Keycloak
Google and Facebook are two of the biggest providers for single sign-on on the web, with OAuth2 and OpenID, but if you don't want to put your customers' or employees' data in their hands, Red Hat's Keycloak software lets you run your own operations with the option of integrating existing Kerberos or LDAP accounts. -
Registry for Docker images
Running your own registry for Docker images is not difficult. We'll show you how to get started using the free docker_auth software. -
Azure AD with Conditional Access
Trust is good, but controls are better. As more flexible working models become widespread, the boundaries of the classic perimeter are blurring and softening existing models of trust for adopting cloud software and data storage or running domain controllers or core applications in the cloud. -
Secure and seamless server access
The powerful Cloudflare Tunnel provides secure and seamless access to servers and applications, making it a convenient alternative to VPN for any modern IT infrastructure.