Article

Single Sign-On Made Easy with Keycloak / Red Hat SSO

March 19, 2018
Developer Tools
Salvatore Incandela
Middleware Consultant
Keycloak Keycloak

If you're looking for a single sign-on solution (SSO) that enables you to secure new or legacy applications and easily use federated identity providers (IdP) such as social networks, you should definitely take a look at Keycloak. Keycloak is the upstream open source community project for Red Hat Single Sign-On (RH-SSO). RH-SSO is a core service that is part of a number of  products such as Red Hat JBoss Enterprise Application Platform. If you've logged into to developers.redhat.com or openshift.com you are using Keycloak.

On the Red Hat Developer blog there have been a number of recent articles that cover various aspects Keycloak/RH-SSO integration.  A recent DevNation Live Tech Talk covered Securing Spring Boot Microservices with Keycloak. This article discusses the features of Keycloak/RH-SSO that you should be aware of.

When considering any SSO platform, there are six aspects to consider:
  1. Adaptability
  2. Integration
  3. Scalability
  4. Extensibility
  5. Centralization
  6. Features

Adaptability

By default, Keycloak uses the open source H2 database as its embedded datastore. However, you are free to choose your own database: Oracle, Microsoft SQL Server, IBM DB2 , MySQL/MariaDB, or PostgreSQL.

Integration

Would you like to enable social networking logins for your application?  You can configure your Keycloak instance to use OpenID providers like: Google, Facebook, Twitter, Github, LinkedIn, Microsoft, or StackOverflow.
For enterprise deployments, Keycloak supports Kerberos logins. And yes, you can also federate your LDAP or Active Directory in just one configuration page.
Keycloak is easy to add to your application as adapters are available for many platforms including: JBoss EAP, JBoss Fuse, JavaScript, Node.js, and mod_auth_mellon for Apache.

Scalability

Keycloak use the Wildfly Clustering features which means you can use Infinispan (aka Red Hat JBoss DataGrid) caching to have clustered instances with sessions replicated across all the machines in the cluster.

Extensibility

The Keycloak Service provider interface, enables you to write your own authenticator or federator. You could use the authenticator, to integrate your own code that authenticate a user with SSL client certificate. (Though this is now a built-in feature starting with version 3.2). Using the federator, you could integrate the user database from a legacy system and use it as an identity source in Keycloak.

Centralization

KeyCloak has centralized session management.  The benefits are:
  • You can determine how many active session your system currently has.
  • You could force the logout of a single user.
  • Or you could force all users of the system to be logged out.
Logout All Limitations: Any SSO cookies set will be invalid and clients that request authentication in active browser sessions will now have to re-login. Only certain clients are notified of this logout event, specifically clients that are using the Keycloak OIDC client adapter. Other client types (i.e. SAML) will not receive a backchannel logout request.

Cool features

  • One time password (OTP) policies
  • Centralized password policy
  • Authorization policies per resource or per scope
  • Timed access policy (users or group of users can login only between certain time slots)
  • JavaScript-Based policy
  • Rule-Based policy

Getting started with Keycloak

Keycloak login form">

It takes only a few steps to setup Keycloak in your development environment. Take a look at the quick start guides that are available in the Keycloak Quick Starts GitHub repo.

Last updated: April 1, 2021