ENTERPRISE SECURITY WITH KEYCLOAK

From the Intranet to Mobile

 

By Divya Mehra and Stian Thorgersen

PROJect timeline

Agenda

THE OLD WAY

  • Securing monolithic web app relatively easy
  • Username and password form
  • Credentials verified against table in DB
  • HTTP Session stores
    security context

IT'S NOT JUST A FORM AND

A TABLE ANYMORE

  • Enterprise software has changed
  • No longer one or two apps 
    inside firewall
  • Now we have many
    separate systems
  • Exposed to mobile users
    and partners

THE NEW WAY?

  • Multiple apps
  • Multiple variants of each app
  • Multiple services
  • Multiple user dbs
  • Multiple logins
  • Outside firewall

AUThentication

  • Passwords not sufficient
  • Users create bad passwords (123456 and password)
  • Passwords policies help, but no guarantee
  • Users reuse passwords
  • Passwords can be lost
  • Secure storage is required
  • Need two-factor authentication

App TYPES

Have to deal with many app, variants & programming languages

  • Client-side and server-side web
  • Mobile (native and hybrid)
  • APIs/Services
  • ...

mobile

  • Users don't want to login frequently
  • Don't store username and password on phone
  • What if device is lost?
  • Sessions and cookies aren't ideal
  • Requires public services

Single SIGN-ON

  • Not as trivial as it may seem
  • Single Sign-Out can be even harder
  • Need Remote Sign-Out

MANAGE

  • Apps
  • Services
  • Users
  • Devices
  • Permissions
  • Sessions and logs

 

and.. Ideally manage everything from one console

Self service

  • Users can manage their own accounts
  • Recover password
  • Update profile
  • Enable two-factor authentication
  • Manage sessions
  • Account history

 

and.. Ideally manage everything from one console

Integration

  • Third party apps
  • Existing Infrastructure
  • New Infrastructure after acquisition
  • External users
  • Social networks

Vulnerabilities

  • Broken Authentication and Session Management is #2 on Open Web Application Security Project (OWASP) Top Ten list
  • Recommendation is to not implement your own!

protocols

  • OpenID Connect
  • SAML 2.0

OpenID connect

  • Built on OAuth 2.0
  • RESTful
  • JSON
  • Easy to use
  • Less mature - final spec released last year

SAML 2.0

  • XML
  • Harder to use and understand
  • Mature - 1.0 was adopted as an OASIS standard in 2002

Tokens

  • Decouples authentication
  • Cross-domain
  • Stateless
  • Only sent when needed
  • Standards based

authentication

  • Authenticate with Keycloak
  • Login forms provided by Keycloak
  • Two-factor authentication
  • Requires SSL
  • Passwords are salted and hashed with PBKDF2
    • Iterations configurable

<button onclick="keycloak.login()">Login</button>

Welcome App

Login to Keycloak realm

Logged-in to Welcome App

APP integration

  • Keycloak Client Adapters
  • Keycloak Proxy
  • OpenID Connect Resource Provider library
  • SAML Service Provider library

CLIent ADAPTERS

  • JBoss EAP & WildFly
  • JBoss Fuse
  • JBoss BRMS
  • JavaScript
  • NodeJS
  • Mobile (Apache Cordova and Native)
  • Spring
  • Tomcat, Jetty
  • More coming (contributions welcome!)

EXAMPLE

  • Simple example to demonstrate features
  • Two HTML5 applications
  • RESTful services deployed to WildFly

ADMIN CONSOLE

  • Configure and manage everything from one console
  • Including settings, applications, services, users, permissions and sessions

Admin Console - Realm settings

Admin Console - Clients

Admin Console - Client settings

Admin Console - User settings

Admin Console - User role mappings

ACCOUNT Management

A console for users to manage their own account 

Account Management - Profile

Account Management - Password

Account Management - Applications

Account Management - Account history

Single sign-on

  • Web SSO
  • Enterprise/Desktop SSO Bridge (Kerberos)
  • Single Sign-Out
  • Remote Sign-Out

Themes

  • Brand login pages and account management to integrate with your corporate brand
  • HTML templates for more than just styling

Login - Default theme

Admin Console - Configure theme

Login - Summit theme

lOGIN flows

  • Required actions
  • Recover password
  • Two factor authentication
  • Registration

Admin Console - Login settings

Login - Extra features enabled

Login - Configure two factor authentication

Login - Update profile

Password policies

  • Set required complexity for passwords
  • Prevent reuse of old passwords
  • Require regular updating of passwords
  • Set hashing intervals

Admin Console - Password policies

Login - invalid password update

user federation

  • Sync users with external directories
  • Read-only or read-write

Admin Console - Add LDAP user federation

Admin Console - User federation

identity brokering

  • Allow external users to sign-on
  • Supports sign-on with
    social networks

Admin Console - Add SAML Identity Provider

Admin Console - Identity Providers

Login - Identity Brokering

MAPPERS

  • Customize tokens
  • Map claims and attributes from external tokens
  • Map attributes and groups from LDAP

Admin Console - Token mappers

Admin Console - Identity Provider mappers

Admin Console - LDAP mappers

vulnerabilities

  • Standard Protocols
  • Built-in Brute Force protection
  • Integrate with Intrusion Detection
  • Protected against known attacks
  • Patches

Enterprise Security with Keycloak

By Stian Thorgersen

Internal

Enterprise Security with Keycloak