About two years ago, Red Hat IT finished migrating our customer-facing authentication system to Red Hat Single Sign-On (Red Hat SSO). As a result, we were quite pleased with the performance and flexibility of the new platform. Due to some architectural decisions that were made in order to optimize for uptime using the technologies at our disposal, we were unable to take full advantage of Red Hat SSO’s robust feature set until now. This article describes how we’re now addressing database and session replication between global sites.
Continue reading “Transitioning Red Hat SSO to a highly-available hybrid cloud deployment”
Microservices architecture is taking over software development discussions everywhere. More and more companies are adapting to develop microservices as the core of their new systems. However, when going beyond the “microservices 101” googled tutorial, required services communications become more and more complex. Scalable, distributed systems, container-native microservices, and serverless functions benefit from decoupled communications to access other dependent services. Asynchronous (non-blocking) direct or brokered interaction is usually referred to as messaging.
Continue reading “Announcing Kubernetes-native self-service messaging with Red Hat AMQ Online”
In a software world where each day is more hostile than the previous one, security matters and developers are coping with more and more non-functional requirements about security. The most common ones are the “OWASP Top 10”: the ten security risks that every developer should know. There are many more security risks you should care about, but those ten risks are the ones having the most impact on the security of your software. Among them are authentication and access control.
The good news is that authentication and access control are now commodities in the open source world, thanks to Red Hat Single Sign-On Red Hat Single Sign-On is an access management tool that takes care of the details of most authentication protocols such as SAML, OAuth, and OpenID Connect; user consent with UMA; and even access control. It is easy to use, is very well-documented, and has a very active community: Keycloak.
This article describes how to download and install Red Hat Single Sign-On for no cost.
Continue reading “Red Hat Single Sign-On: Give it a try for no cost!”
When deploying Red Hat Single Sign-On/Keycloak for a test or a proof of concept, most users will choose to use a self-signed certificate as explained in the official documentation.
The setup instructions are straightforward, but this self-signed certificate will trigger certificate error messages in your web browser and can also prevent some clients such as Postman from working properly.
This article explains how to use a public certificate from Let’s Encrypt with Red Hat Single Sign-On.
Continue reading “Using a public certificate with Red Hat Single Sign-On/Keycloak”
This post describes how to configure OpenID Connect (OIDC) authentication using an external Identity Provider (IdP). With the new release of Red Hat 3scale API Management, version 2.3, it is possible to use any OIDC-compliant IdP during the API authentication phase. This is a very important new feature because it makes it possible to integrate any IdP already present in your environment—without having to use an Identity Broker—thus reducing overall complexity.
Continue reading “Integrating third-party identity providers with Red Hat 3scale API Management”
In this article I cover configuring NGINX for OAuth-based Single Sign-On (SSO) using Keycloak/Red Hat SSO. This allows the use of OpenID Connect (OIDC) for federated identity. This configuration is helpful when NGINX is acting as a reverse-proxy server for a backend application server, for example, Tomcat or JBoss, where the authentication is to be performed by the web server.
In this setup, Keycloak will act as an authorization server in OAuth-based SSO and NGINX will be the relaying party. We will be using lua-resty-openidc, which is a library for NGINX implementing the OpenID Connect relying party (RP) and/or the OAuth 2.0 resource server (RS) functionality.
Continue reading “Configuring NGINX for OAuth/OpenID Connect SSO with Keycloak/Red Hat SSO”
If you’re looking for a single sign-on solution (SSO) that enables you to secure new or legacy applications and easily use federated identity providers (IdP) such as social networks, you should definitely take a look at Keycloak. Keycloak is the upstream open source community project for Red Hat Single Sign-On (RH-SSO). RH-SSO is a core service that is part of a number of products such as Red Hat JBoss Enterprise Application Platform. If you’ve logged into to developers.redhat.com or openshift.com you are using Keycloak.
On the Red Hat Developer blog there have been a number of recent articles that cover various aspects Keycloak/RH-SSO integration. A recent DevNation Live Tech Talk covered Securing Spring Boot Microservices with Keycloak. This article discusses the features of Keycloak/RH-SSO that you should be aware of.
Continue reading “Single Sign-On Made Easy with Keycloak / Red Hat SSO”
This guide is designed to help you integrate your Red Hat Single Sign-On server with the OpenAPI (OAI)-based ActiveDocs in your 3scale developer portal. Although it has only been implemented with this particular Identity & Access Management solution (IAM), you could in theory make some customizations where necessary to integrate with another OpenID Connect-based solution.
Continue reading 3scale ActiveDocs and OAuth 2.0
The next online DevNation Live Tech Talk will be Thursday, March 1st at 12pm EST. The topic is Secure Spring Boot Microservices with Keycloak presented by Sébastien Blanc.
Although security and identity management are critical aspects for any application, implementation can be difficult. As a result, these things are often neglected, poorly implemented, and intrusive in the code. Recently, identity management servers have appeared that allow you to outsource and delegate all aspects of authentication and authorization, such as auth0.com. Of these servers, one of the most promising is Keycloak, because it is open source, flexible, and technology agnostic. Keycloak is easily deployable on a variety of infrastructure and is very adaptable for many types of deployments.
Register now, and join the live presentation at 12 pm EST on Thursday, March 1st.
** UPDATE: Missed the live session? Watch the video online. **
Continue reading “Next DevNation Live: Secure Spring Boot Microservices with Keycloak, March 1st, 12pm EST”
The aim of this tutorial is to configure Red Hat Single Sign On (RH-SSO) to work as an Identity Provider (IdP) for Liferay DXP through SAML.
Liferay DXP supports functionalities for Single Sign On (SSO) such as NTLM, OpenID, and Token-based and integration with IdPs like Google and Facebook. But when it comes to enterprise environments, the requirements may be stricter, especially regarding integration with externals IdPs.
Continue reading “Integrate RH-SSO 7.x with Liferay DXP using SAML”