Digitalisation – why we need structure in addition to Keycloak & Co.

An article by Stephanie Ta, Syntlogo GmbH:

Today, many successful operators rely on Keycloak. However, it is only the first step towards a holistic IAM system, because the requirements have increased due to modern digitalisation and data protection requirements. For this reason, we support companies on the path to digitalisation – so that they can efficiently and securely build their digital infrastructure for customers and partners.

Use digital developments to your advantage

Established operators of e-commerce platforms on the internet are aware of the most important system functions for managing their customer data. They use systems that already include log-in, administration and many necessary access and identity management functionalities. However, such programmes are almost always associated with high licensing costs and fixed functions. This ties companies to an expensive, yet inflexible system. As an alternative, some elect to self-programme solutions where everything can be customised, but that requires a lot of resources and time.

Keycloak – the secret weapon in digitalisation

The open-source SSO-community solution Keycloak, which has been sponsored by Red Hat for several years, is often eagerly used as an “IAM system”. The open-source software provides state-of-the-art functionalities and is very flexible and easy to integrate. The concrete benefits of using Keycloak as the basis for an IAM system can be found here: Keycloak – a valuable open source tool for your identity and access management

Many advantages of Keycloak are obvious:

• Open-source software:
  • Security vulnerabilities are quickly identified and exposed
  • Open standards and interfaces ensure interoperability
  • Flexibility in deploying, learning, extending and distributing the software

Read more details (in German) from the German Federal Office for Information Security.

• Inexpensive, powerful and always updated solution
• The latest security standards already in place (SSO, OpenID Connect, OAuth2, JWT and more)
• Scalable to a higher number of users (in the millions), especially a high number of MAUs (Monthly Active Users)
• Comprehensive Identity Brokering with various identity providers

These and many other advantages make a good case for Keycloak. That is why companies are increasingly using the open-source solution to secure web applications and portals. After selecting Keycloak, there is a lot to do, starting with planning the implementation project.

Keycloak implementation: not as easy as it seems

Setting up and integrating Keycloak requires a lot of know-how, which you acquire on your own or through consultants during the IAM project. However, many companies are not aware that it is not sufficient on its own if you want a holistic and modern IAM solution. For example, one can cite the rudimentary user administration of Keycloak. It meets the requirements for a very small number of users (less than 1,000), although it may appear that Keycloak can also handle larger numbers. There is often some confusion here, because that only applies to:

• Authentication – the entry of a password or credentials via a “Keycloak” frontend and authentication – the verification of the password / credentials by Keycloak
• Both of the above processes, even if many users are active at the same time (parallel sessions) and want to log in
• Registration and “first-time” authentication

This enables users to access protected contents of a portal – also called Access Management (AMS). For subsequent tasks and processes, however, Keycloak needs additional support or intelligent IMS components for expansion. Such as for:

• Authorisation – the management of access rights, the allocation of authorisations for large numbers of users and / or for complex user structures
• The limited, inflexible use of certain data models that turn out to be a bottleneck, e.g. through the classic use of user groups (RBAC)
• The connection to several external data sources
• The use of a simple database that has reached its limits for certain system requirements. An affiliated database stores the user data and credentials as well as their changes. This also applies to registration and storing additional users and their data.

We refer to the area mentioned here as User Management or Identity Management System (IMS).

Keycloak + identity modules for a comprehensive IAM System

Even those who want to renew portals and web applications or switch to Keycloak usually only think of the classic areas: Login, registration and connecting Keycloak to a directory service or database. However, one can reap huge advantages by implementing further identity components in addition to Keycloak. With “Keycloak-only”, many companies also reach their security limits for their online offers. For example, complex or enterprise structures require other solutions for the organisation of access rights. The assignment of standard roles as in Keycloak is not sufficient. This is the case, for example, with networking or hierarchies with different authorisations in the B2B area for a partner portal. The migration of user data and passwords from legacy systems, which is almost always required, calls for individual programme components that a “Keycloak first-time user” can hardly create on their own. Securing (hardening) a Keycloak installation also requires professional guidance from experts. Legal issues from the area of audit & compliance or the EU-GDPR (EU General Data Protection Regulation) require important modules and functions of a CIAM solution (Customer Identity & Access Management). This requirement for web applications goes far beyond keycloak functions.

Keycloak and enhancements: the devil’s in the details

Therefore, we recommend a comprehensive analysis of the existing infrastructure and the applications to be included. In addition, a precise list of the requirements for the new digital landscape. This is followed by careful planning of the desired architecture. And then a timely execution for the integration of Keycloak as well as additional components. This is especially difficult for smaller and medium-sized companies. They have neither their own IAM or security experts nor project managers for this area. In addition, there are often the following stumbling blocks:

• Applications and software are difficult to integrate because they are outdated and/or contain proprietary interfaces. They cannot always be connected smoothly or embedded in the new environment.
• The existing and the desired infrastructure should be put to the test. The situation may require unforeseen changes.

In summary: the integration of Keycloak into existing IT structures is always an individual task that requires appropriate expertise.

The digital revolution is leading to a rethink of existing IT strategies.

With the renewal or opening of web portals, options arise to move applications to the cloud. The other option is on-premises. Companies can of course operate their own hardware with all the consequences of on-premises operation.

The planning of a Keycloak implementation project includes, for example, considerations about how and where to store the credentials and user data. Do you want to connect Keycloak to your own database, to an LDAP server or to an Active Directory? These and many other questions are often asked by our customers when they are already in the middle of the implementation phase of a – usually urgent – web project.