An article by Stephanie Ta, Syntlogo GmbH:
Today, many successful operators rely on Keycloak. However, it is only the first step towards a holistic IAM system, because the requirements have increased due to modern digitalisation and data protection requirements. For this reason, we support companies on the path to digitalisation – so that they can efficiently and securely build their digital infrastructure for customers and partners.
Use digital developments to your advantage
Established operators of e-commerce platforms on the internet are aware of the most important system functions for managing their customer data. They use systems that already include login, administration and many necessary access and identity management functionalities. However, such programmes are almost always associated with high licensing costs and fixed functions. This ties companies to an expensive, yet inflexible system. As an alternative, some elect to self-programme solutions where everything can be customised, but that requires a lot of resources and time.
Keycloak – the secret weapon in digitalisation
Red Hat has been sponsoring the open-source SSO-community solution Keycloak for years. It is often eagerly used as an “IAM system”. The open-source software provides state-of-the-art functionalities and is very flexible and easy to integrate. The concrete benefits of using Keycloak as the basis for an IAM system can be found here: Keycloak – a valuable open source tool for your identity and access management
Many advantages of Keycloak are obvious:
- Security vulnerabilities are quickly identified and exposed
- Open standards and interfaces ensure interoperability
- Flexibility in deploying, learning, extending and distributing the software
Read more details from the German Federal Office for Information Security.
- Inexpensive, powerful and always updated solution
- The latest security standards already in place (SSO, OpenID Connect, OAuth2, JWT and more)
- Scalable to a higher number of users (in the millions), especially for a high number of MAUs (Monthly Active Users)
- Comprehensive Identity Brokering with various identity providers (AD, Facebook, LinkedIn, etc.)
These and many other advantages make a good case for Keycloak. That is why companies are increasingly using the open-source solution to secure web applications and portals. After selecting Keycloak, there is a lot to do, starting with planning the implementation project.
Keycloak implementation: not as easy as it seems
Setting up and integrating Keycloak requires a lot of know-how, which you acquire on your own or through consultants during the IAM project. However, many companies are not aware that it is not sufficient on its own if you want a holistic and modern IAM solution.
For example, one can cite the rudimentary user administration of Keycloak. It meets the requirements for a very small number of users (less than 1,000), although it may appear that Keycloak can also handle larger numbers. There is often some confusion here, because that only applies to:
- Authentication – the entry of a password or credentials via a “Keycloak” frontend and authentication – the verification of the password / credentials by Keycloak
- Both of the above processes, even if many users are active at the same time (parallel sessions) and want to log in
- Registration and “first-time” authentication
This enables users to access protected contents of a portal – also called Access Management (AMS).
For subsequent tasks and processes, however, Keycloak needs additional support or intelligent IMS components for expansion. Such as for:
- Authorisation – the management of access rights, the allocation of authorisations for large numbers of users and / or for complex user structures
- The limited, inflexible use of certain data models that turn out to be a bottleneck, e.g. through the classic use of user groups (RBAC)
- The connection to several external data sources
- The use of a simple database that has reached its limits for certain system requirements. An affiliated database stores the user data and credentials as well as their changes. This also applies to registration and storing additional users and their data.
We refer to the area mentioned here as User Management or Identity Management System (IMS).
Keycloak + identity modules for a comprehensive IAM System
Even those who want to renew portals and web applications or switch to Keycloak usually only think of the classic areas: Login, registration and connecting Keycloak to a directory service or database. However, one can reap huge advantages by implementing further identity components in addition to Keycloak. With “Keycloak-only”, many companies also reach their security limits for their online offers.
For example, complex or enterprise structures require other solutions for the organisation of access rights. The assignment of standard roles as in Keycloak is not sufficient. This is the case, for example, with networking or hierarchies with different authorisations in the B2B area for a partner portal.
The migration of user data and passwords from legacy systems, which is almost always required, calls for individual programme components that a “Keycloak first-time user” can hardly create on their own. Securing (hardening) a Keycloak installation also requires professional guidance from experts.
Legal issues from the area of audit & compliance or the EU-GDPR (EU General Data Protection Regulation) require important modules and functions of a CIAM solution (Customer Identity & Access Management). This requirement for web applications goes far beyond Keycloak functions.
Keycloak and enhancements: the devil’s in the details
Therefore, we recommend a comprehensive analysis of the existing infrastructure and the applications to be included. In addition, a precise list of the requirements for the new digital landscape. This is followed by careful planning of the desired architecture. And then a timely execution for the integration of Keycloak as well as additional components.
This is especially difficult for smaller and medium-sized companies. They have neither their own IAM or security experts nor project managers for this area. In addition, there are often the following stumbling blocks:
- Applications and software are difficult to integrate because they are outdated and/or contain proprietary interfaces. They cannot always be connected smoothly or embedded in the new environment.
- The existing and the desired infrastructure should be put to the test. The situation may require unforeseen changes.
In summary: the integration of Keycloak into existing IT structures is always an individual task that requires appropriate expertise.
The digital revolution is leading to a rethink of existing IT strategies.
With the renewal or opening of web portals, options arise to move applications to the cloud. The other option is on-premises. Companies can of course operate their own hardware with all the consequences of on-premises operation.
The planning of a Keycloak implementation project includes, for example, considerations about how and where to store the credentials and user data. Do you want to connect Keycloak to your own database, to an LDAP server or to an Active Directory? These and many other questions are often asked by our customers when they are already in the middle of the implementation phase of a – usually urgent – web project.
How we bring you to the forefront of security technology.
In order to successfully introduce Keycloak and a CIAM system right from the start, we offer our customers the 3-Point Check.
The check is free of charge and serves to prepare you and us for the project in a structured way. First, we carry out a detailed inventory and requirements analysis within one to two days. We enter relevant data and facts into the 3-Point Check for for better clarity. Such information primarily includes basic system information on the application landscape, the user registries / repositories and the (legacy) applications themselves that the customer wants to connect. Beyond general system information, e.g. which platform the customer is working with or how high the number of users is, it is also important to consider process information from the area of identity management services, e.g. how user objects are maintained or whether there is a user self-service. In the case of a user registry or an application, the associated user roles are also relevant, if they have already been defined. Mostly they are implemented by the traditional RBAC-Modell (group-based).
These and similar questions are enormously important, especially for setting up online services. However, they are usually not obvious. In a digital project, such issues are often neglected, but they are “core IAM issues” – regardless of the fact that they are usually not considered by and not within the core expertise of those introducing the digital project.
Why is there a 3-Point Check?
The 3-Point Check familiarises us with our customers’ organisation, their existing authorisation structure, and their infrastructure. Using this information, we create a bespoke offer that enables us to accurately cater to individual customer needs. In addition, we create a free Start & Go checklist.
This checklist roughly outlines the topology, that is: the desired infrastructure for Keycloak, the extended IMS components and their touchpoints. After that, we define a suitable solution for the IAM project and divide project milestones into individual work packages. Every company benefits from this structuring. Our clients benefit from knowing the time required, the costs and what they must contribute. They also gain a much better understanding of the entire project. They can plan accordingly with a suitable target and security architecture. They also receive detailed documentation. This ensures a secure transition to live operation and aids in the maintenance and care of the new application landscape.
1. Detailed inventory & requirements analysis
2. Identification of the Login-Master modules that are right for you
3. Start & Go checklist – so that your Login-Master goes live soon!
Read more about Digitalisation and Security in our blog.
Do you want to navigate on the safe side with your web project?
Keeping it simple, user friendly and professional? We can help.