ENTERPRISE SECURITYENTERPRISE SECURITYWITH KEYCLOAKWITH KEYCLOAKFrom the Intranet to Mobile

By Divya Mehra and Stian Thorgersen

PROJECT TIMELINEPROJECT TIMELINE

AGENDAAGENDA

THE OLD WAYTHE OLD WAYSecuring monolithic web app relatively easyUsername and password formCredentials verified against table in DBHTTP Session storessecurity context

IT'S NOT JUST A FORM ANDIT'S NOT JUST A FORM AND

A TABLE ANYMOREA TABLE ANYMORE

Enterprise software has changedNo longer one or two apps inside firewallNow we have manyseparate systemsExposed to mobile usersand partners

THE NEW WAY?THE NEW WAY? Multiple apps Multiple variants of each app Multiple servicesMultiple user dbs Multiple loginsOutside firewall

AUTHENTICATIONAUTHENTICATIONPasswords not sufficientUsers create bad passwords (123456 and password)Passwords policies help, but no guaranteeUsers reuse passwordsPasswords can be lostSecure storage is requiredNeed two-factor authentication

APP TYPESAPP TYPESHave to deal with many app, variants & programminglanguages

Client-side and server-side webMobile (native and hybrid)APIs/Services...

MOBILEMOBILEUsers don't want to login frequentlyDon't store username and password on phoneWhat if device is lost?Sessions and cookies aren't idealRequires public services

SINGLE SIGN-ONSINGLE SIGN-ONNot as trivial as it may seemSingle Sign-Out can be even harderNeed Remote Sign-Out

MANAGEMANAGEAppsServicesUsersDevicesPermissionsSessions and logs

and.. Ideally manage everything from one console

SELF SERVICESELF SERVICEUsers can manage their own accountsRecover passwordUpdate profileEnable two-factor authenticationManage sessionsAccount history

and.. Ideally manage everything from one console

INTEGRATIONINTEGRATIONThird party appsExisting InfrastructureNew Infrastructure after acquisitionExternal usersSocial networks

VULNERABILITIESVULNERABILITIESBroken Authentication and Session Management is#2 on Open Web Application Security Project(OWASP) Top Ten listRecommendation is to not implement your own!

PROTOCOLSPROTOCOLSOpenID ConnectSAML 2.0

OPENID CONNECTOPENID CONNECTBuilt on OAuth 2.0RESTfulJSONEasy to useLess mature - final spec released last year

SAML 2.0SAML 2.0XMLHarder to use and understandMature - 1.0 was adopted as an OASIS standard in2002

TOKENSTOKENSDecouples authenticationCross-domainStatelessOnly sent when neededStandards based

AUTHENTICATIONAUTHENTICATIONAuthenticate with KeycloakLogin forms provided by KeycloakTwo-factor authenticationRequires SSLPasswords are salted and hashed with PBKDF2

Iterations configurable

<button onclick="keycloak.login()">Login</button>

Welcome App

Login to Keycloak realm

Logged-in to Welcome App

APP INTEGRATIONAPP INTEGRATIONKeycloak Client AdaptersKeycloak ProxyOpenID Connect Resource Provider librarySAML Service Provider library

CLIENT ADAPTERSCLIENT ADAPTERSJBoss EAP & WildFlyJBoss FuseJBoss BRMSJavaScriptNodeJSMobile (Apache Cordova and Native)SpringTomcat, JettyMore coming (contributions welcome!)

EXAMPLEEXAMPLESimple example to demonstrate featuresTwo HTML5 applicationsRESTful services deployed to WildFly

ADMIN CONSOLEADMIN CONSOLEConfigure and manage everything from oneconsoleIncluding settings, applications, services,users, permissions and sessions

Admin Console - Realm settings

Admin Console - Clients

Admin Console - Client settings

Admin Console - User settings

Admin Console - User role mappings

ACCOUNTACCOUNTMANAGEMENTMANAGEMENTA console for users to manage their ownaccount

Account Management - Profile

Account Management - Password

Account Management - Applications

Account Management - Account history

SINGLE SIGN-ONSINGLE SIGN-ONWeb SSOEnterprise/Desktop SSO Bridge (Kerberos)Single Sign-OutRemote Sign-Out

THEMESTHEMESBrand login pages and account management tointegrate with your corporate brandHTML templates for more than just styling

Login - Default theme

Admin Console - Configure theme

Login - Summit theme

LOGIN FLOWSLOGIN FLOWSRequired actionsRecover passwordTwo factor authenticationRegistration

Admin Console - Login settings

Login - Extra features enabled

Login - Configure two factor authentication

Login - Update profile

PASSWORD POLICIESPASSWORD POLICIESSet required complexity for passwordsPrevent reuse of old passwordsRequire regular updating of passwordsSet hashing intervals

Admin Console - Password policies

Login - invalid password update

USER FEDERATIONUSER FEDERATIONSync users with external directoriesRead-only or read-write

Admin Console - Add LDAP user federation

Admin Console - User federation

IDENTITY BROKERINGIDENTITY BROKERINGAllow external users to sign-onSupports sign-on withsocial networks

Admin Console - Add SAML Identity Provider

Admin Console - Identity Providers

Login - Identity Brokering

MAPPERSMAPPERSCustomize tokensMap claims and attributes from external tokensMap attributes and groups from LDAP

Admin Console - Token mappers

Admin Console - Identity Provider mappers

Admin Console - LDAP mappers

VULNERABILITIESVULNERABILITIESStandard ProtocolsBuilt-in Brute Force protectionIntegrate with Intrusion DetectionProtected against known attacksPatches