Introduction to Keycloak

Keycloak is an open source software product to allow single sign-on with Identity and Access Management aimed at modern applications and services. As of March 2018 this JBoss community project is under the stewardship of Red Hat who use it as the upstream project for their RH-SSO product.

The features of Keycloak include:

  • User Registration
  • Social login
  • Single Sign-On/Sign-Off across all applications belonging to the same Realm
  • 2-factor authentication
  • LDAP integration
  • Kerberos broker
  • multitenancy with per-realm customizable skin

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems.

True single sign-on allows the user to log in once and access services without re-entering authentication factors.

It should not be confused with same-sign on (Directory Server Authentication), often accomplished by using the Lightweight Directory Access Protocol (LDAP) and stored LDAP databases on (directory) servers.

A simple version of single sign-on can be achieved over IP networks using cookies but only if the sites share a common DNS parent domain.

For clarity, a distinction is made between Directory Server Authentication (same-sign on) and single sign-on: Directory Server Authentication refers to systems requiring authentication for each application but using the same credentials from a directory server, whereas single sign-on refers to systems where a single authentication provides access to multiple applications by passing the authentication token seamlessly to configured applications.

Conversely, single sign-off or single log-out (SLO) is the property whereby a single action of signing out terminates access to multiple software systems.

As different applications and resources support different authentication mechanisms, single sign-on must internally store the credentials used for initial authentication and translate them to the credentials required for the different mechanisms.

Other shared authentication schemes, such as OpenID and OpenID Connect, offer other services that may require users to make choices during a sign-on to a resource, but can be configured for single sign-on if those other services (such as user consent) are disabled. An increasing number of federated social logons, like Facebook Connect, do require the user to enter consent choices upon first registration with a new resource, and so are not always single sign-on in the strictest sense.

Identity management (IdM), also known as identity and access management (IAM or IdAM), is a framework of policies and technologies for ensuring that the proper people in an enterprise have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and authorize individuals who will be utilizing IT resources, but also the hardware and applications employees need to access. Identity and access management solutions have become more prevalent and critical in recent years as regulatory compliance requirements have become increasingly more rigorous and complex.

It addresses the need to ensure appropriate access to resources across increasingly heterogeneous technology environments and to meet increasingly rigorous compliance requirements.

The terms “identity management” (IdM) and “identity and access management” are used interchangeably in the area of identity access management.

Identity-management systems, products, applications and platforms manage identifying and ancillary data about entities that include individuals, computer-related hardware, and software applications.

IdM covers issues such as how users gain an identity, the roles and, sometimes, the permissions that identity grants, the protection of that identity and the technologies supporting that protection (e.g., network protocols, digital certificates, passwords, etc.

The first production release of Keycloak was in September 2014, with development having started about a year earlier. In 2016 Red Hat switched the RH SSO product from being based on the PicketLink framework to being based on the Keycloak upstream Project. This followed a merging of the PicketLink codebase into Keycloak.

To some extent Keycloak can now also be considered a replacement of the Red Hat JBoss SSO open source product which was previously superseded by PicketLink. As of March 2018 JBoss.org is redirecting the old jbosssso subsite to the Keycloak website. The JBoss name is a registered trademark and Red Hat moved its upstream open source projects names to avoid using JBoss, JBoss AS to Wildfly being a more commonly recognized example.

The above is a brief about Keycloak. Watch this space more updates on the latest trends in Technology.

Leave a Reply

Your email address will not be published. Required fields are marked *