How to extend Keycloak with professional IAM functions

10 February 2019

Which Keycloak extensions you need to build an professional IAM solution: Keycloak compared to login-master

Keycloak is used in numerous projects for authentication and authorisation in Web applications. Login-master is based on Keycloak, supplements its functionality in relevant areas like user management or access control. In that way it creates a suitable identity and access management solution for enterprise requirements.

Keycloak is an open source solution for identity and access management (IAM), which is geared towards the development of modern applications and services. The community version provided by Red Hat is available as open source under the name Keycloak. There is also a chargeable/commercial version from Red Hat: Red Hat SSO (Single Sign-On).

There are numerous projects in which Keycloak is used for the protection of Web portals, whether in the e-commerce, B2B or also public sector. This is understandable, because Keycloak provides extensive functions such as, for example, quick and reliable authentication, protection of (Web) applications and much more.

The Red Hat project, which has existed for more than four years (10 September 2014), arose from the merger of PicketLink with the newly created SSO solution, Keycloak. PicketLink had the objective of ensuring the security and protection of Java applications.

We at the Login Alliance have worked with Keycloak for more than three years. We evaluated the single sign-on solution (SSO solution) from Red Hat and evaluated various other systems. In addition, several of our customers chose Keycloak, because it is secure, modern, very reliable and easy to use.

Is Keycloak a complete enterprise IAM solution? 

Many companies would like to use one of the two Red Hat solutions as an IAM system. They ask themselves why we don’t exclusively use Keycloak as a holistic IAM solution. Ultimately, this solution already contains user and access management out-of-the-box.

The reason is obvious: From our many years of experience, we know that the Keycloak components merely satisfy simple, rudimentary requirements. They mostly are not sufficient for more complex, enterprise applications and portals. For example, the Keycloak functions by far do not satisfy the requirements of data protection in accordance with the European General Data Protection Regulation (EU-GDPR).

Can Keycloak form the basis of an enterprise IAM solution?

Red Hat writes the following about this: “RH SSO should be able to cover most use-cases using native functionality; however, the reality of enterprise environments is that customizations are usually required. This is especially true when dealing with web-based applications.”

This appraisal by Red Hat coincides with the requirements of enterprise customers, because they want:

  • a higher level of automation, especially for user lifecycle management
  • advanced possibilities for user self-service
  • advanced access management, greatly automated
  • an option to use delegated administrators (“delegated administration”)
  • workflows to integrate events and approvals into company processes
  • a MetaDirectory and the provision of legacy applications for the integration of data sources.
s

Neither Keycloak nor Red Hat SSO offer any of the given functionalities out-of-the-box.

For this reason, we at the Login Alliance decided to use Keycloak as the basis and to augment it with the functionalities given above. We show you how to extend Keycloak with user management to an holistic IAM solution.

We have expanded user management.

a) User self-services and the GDPR

GDPR laws have regulated the storage and use of personal data since 25 May 2018. They are mandatory for all companies that process or store personal data of EU citizens. Therefore, every identity management system should provide GDPR support.

s

Keycloak does not provide any comprehensive GDPR support.

Therefore, we implemented complete GDPR support. This includes consent for the storage of personal data. Furthermore, there is the possibility to view it and correct it if necessary at any time, and also the option to retrieve the privacy policy again. In addition, a user can download his personal data securely.

The user can exercise the “right to be forgotten” in our system.

If a user wants the complete deletion of his data, then this is carried our easily, quickly and above all automatically. The “forget me” process includes all applications that are linked to Login-Master.

Ranking der Passwortstärke

s

With Keycloak, it is possible to rank a password according to its strength depending on the requirements of the established password policy.

Weak passwords are a major risk during registration or when a password is changed. That is because users use them without thinking. A refined password policy is no help against this.

A dedicated appliance of ours checks the newly entered password. Only if the appliance cannot crack the password the system will accept it.

Die Qualität der Nutzerdaten

The following question is frequently asked: How good is the quality of the user data? Users often cheat regarding their names, ages or other characteristics. Therefore, companies want to work with correct user data, especially for important online transactions. For example, it is that much more difficult to collect outstanding payments if a user entered his name or address incorrectly.

Keycloak checks an e-mail address through the double opt-in process. Other user data is not checked.

Keycloak prüft eine E-Mailadresse durch das Double Opt-in-Verfahren. Andere Benutzerdaten werden nicht überprüft. 

s

On the whole, Keycloak does not have an option to check the data quality.

There are various options to check user data.

We chose to offer checking the user data by means of the Postident online process of Deutsche Post.

That is the only process that makes it possible to go beyond storing normal user data and even enables age verification.

b) User login

One of the critical aspects in connection with the security of Web portals is the authentication process.

Keycloak exceeds many SSO solutions in this point…

… and offers a solid foundation for further expansion of implementations for 2-factor authentication. We personalise the login process according to the customer’s wishes. We generate login workflows for the integration of new technologies.

c) Access rights

After defining a default role, there is a minimalistic approach in Keycloak for the administration of user roles:

s

There is actually only the administration console – a limited tool for the management of less than a couple of hundred users.

Naturally, a Java developer can expand this through programming, especially when a Keycloak implementation project (as is so often the case) is under time pressure. Also, if an existing platform has to be migrated in the shortest possible time. In the long run, a company will require a more extensive solution. Just think about the many identities in the Internet of Things (IoT).

In the long term, there should be the possibility to grant or revoke roles automatically, at best based on attributes. Or, a user should have the possibility to make a request, e.g. to add another role. That means to apply for extended or other rights in the system. Such complex access management calls for a major investment and also time for the implementation.

There is good news for anyone already using access management: Synchronisation of the access rights from an existing system is possible. And this is not by means of importing, but rather synchronising.

Especially in this area, it makes sense to work with experts, who have dealt with security in the Web for decades, who ensure you the security that you expect.

d) Existing users

Everything begins with the registration. Programming is necessary to perform a user migration or the synchronisation of user data.

s

Keycloak does not know any “existing users”.

Our “ready-to-use approach” is the implementation of a complete metadirectory and synchronisation of the existing user base with that of Keycloak.

In the process, the users and their access rights are synchronised. And that is without complex, development work of your own for the Keycloak user.

e) Processes in the backend

If you need a separate process, then Keycloak offers you wonderful REST interfaces.

s

If you need an automatic process to perform regular actions, then Keycloak leaves you on your own for this.

We use automatable workflows for starting the backend processes and for implementation of different, frequently occurring tasks.

They are:

  • housekeeping
  • removal of expired access rights
  • reminder to users to change an old password or about an expiring contract

And, it goes without saying that all of this is multilingual and equipped with easily adaptable e-mail templates.

f) Delegated administration

s

Keycloak knows no delegated administration

We expand Keycloak to have refined delegated administration.

In it, we define user units. We define one or more administrators for each community. They can invite other registered users into the community. They are authorised to grant or revoke specific access rights. In addition, they can exclude users from a community.

The result is prompt administration of user communities. This function is used for projects and business partners, suppliers or also families whose users are members of a common portal.

Keycloak managt Benutzerzugriffe – Login-Master den gesamten Identity Management-Prozess

Does Keycloak provide enough functions to operate an all-encompassing identity and access management system (IAM system)?

This was the questions that we asked ourselves right at the beginning. The answer is that Keycloak offers the basic functionality to be able to operate an IAM system. Extensive programming is needed to add important functions.

To minimise this effort, the Login Alliance offers an effective solution with login-master, which is based on Keycloak and comes with all the relevant enhancements for immediate use.

Keycloak extensions at a glance. SSO and more.

In the comparison in the table below, you can see what Keycloak offers in connection with ENTERPRISE requirements, and what functions login-master covers above and beyond that. In this connection, there are also services that you can use with the Login Alliance.

FeatureKeycloakLogin-Master
User self-service and GDPR No out-of-the-box support for GDPR Login-Master takes into account all the necessary GDPR regulations based on Keycloak.
Including: different consent levels, download of personal information, “forget me” process

The functionalities are called via the REST interface for complete integration of the registration process in your application.

In Login-Master, there is the possibility to check data via the POSTIDENT process of Deutsche Post. That is the only process for age verification.
User login Keycloak is outstanding here, and provides a solid foundation for enhancements (implementation of 2-factor authentication). Keycloak as a Service:
The offer from Login Alliance is to implement the authentication process as desired.
Access rights Assignment of default roles Completely, refined role management system:
· Granting/revoking roles depending on the values of the user attributes (ABAC)
· A role shop allows the user to make a request for additional access.
· A background process continually performs housekeeping tasks. The same process makes it possible to remove a role when it has expired.
· Synchronisation with legacy IAM systems
· Enhanced access control technology SecuRole®
Existing users Keycloak does not know any “existing users”. Login-Master implements a complete metadirectory and synchronises the existing user base with that of Keycloak. Users and the access rights are synchronised.
Batch processesREST interfaces Login-Master uses workflows to start backend processes.That way, the most frequent, different tasks are implemented: housekeeping, removal of expired rights, reminder to users to change an old password or about an expiring contract.
This happens in a multilingual environment with support from adaptable e-mail templates.
Delegated administration Keycloak doesn’t know this concept.The Login Alliance introduces well thought-out delegated administration in which we define user communities. There are one or more administrators for each community. They can invite other registered users to the community, grant or revoke specific access rights and exclude users from a community.
This leads to prompt administration of user communities. It is used with portals for project and business partners, for suppliers (communities) or also for families.
ServicesOpen Source ResourcesLogin Alliance - Solutions and Services
SupportCommunity supportBasic support: Monday to Friday 9:00 am - 5:00 pm, 24*7 is planned
HostingSelf-hosted Keycloak- Managed Keycloak on dedicated instances / Keycloak as a Service, ready-made test environments
- Login-Master licenses for self-hosting or as Identity as a Service
ConsultingCommunity forumsProof-of-concept, IAM consulting (infrastructures, hardening, high availability, trouble shooting), Keycloak / IAM workshops

Have you already made a decision for Keycloak or Red Hat SSO? Would you like to know how easy it is to implement this? Or, are you interested in extended support and comfortable features that you have to laboriously develop in projects lasting months?