Adding a user-sales management brokerage federation to the infrastructure with Keycloak.
Keycloak has been mentioned now and then in the previous talk, it was great to hear.
I'm Alexander Schwartz, I'm just Alex, I'm working at Red Hat for the Keycloak project
full-time and I'm also a maintainer since last year.
I've been using Keycloak for several years.
When I was a back at IT consultant, we were building applications, we were using it as an identity
next-to-management solution and back in the time, a lot of customers did not have Keycloak,
so we brought an application in there and the custom-built one, we put Keycloak next to it
to do the IAM stuff and over time, then we built our applications for them to customers.
They already had Keycloak, so it was great.
Two years ago, I joined Red Hat full-time working on Keycloak.
What do I do at Keycloak?
I'm doing a lot of performance testing, database stuff, also a bit of LDAP.
Keycloak has so much to offer and when I was reading the corporate presentations,
this was then stating about Federation LDAP and I thought, yeah, I could present you this slide today
and this is what I will do, presenting what's already existing in Keycloak
and also some of the things that will arrive in the next version of Keycloak,
like the current version is 23 and the next version is Keycloak 24
and you can already download the things that are shown today in the 90 build of Keycloak.
Right, so yeah, and the agenda that I brought for today is more like a journey that I saw customers
going through when they entering the identity and access management space.
It's like day one is seeing a sign on a school, right?
I need only one password to access all my services, so that's where it all starts.
Day two is, yeah, well, I need to get a bit more flexible because I have maybe
one directory with users, maybe multiple directories of users that I want to integrate,
lots of applications and then day three, yeah, I want to eliminate a daily churn,
like reset of passwords, user self-management and that's especially where the things come in
that we have in Keycloak 24 around user self-registration and declarative user profiles,
what we see there. So why is Singleton on cool? I said, well, users need to remember only one
password, that's, yeah, and then they authenticate only one today. In the morning, usually when they
get to work and then it's, depending on how you configure it, maybe more valid for 24 hours,
for 10 hours, for eight hours, that's the policy of the company and then they can access all these
applications over the day with the credentials they entered. And well, usually a password might
not be enough, so you have a second factor, you have one-time tokens, you may have maybe a mobile
app that generates these small codes, you have file keys, web auth and all that stuff, and maybe
some applications need it, other applications don't need it when you access them, maybe you want to
re-authenticate during the day when you access a special application, so all those things come with
KeyClick. And well, not the last thing, but usually in the middle when you deploy KeyClick to
your organization, you want to theme the front-end, right? It should look like at least the colors,
maybe the logo of your organization, it's to make your users feel at home. It might seem like a small
thing, but it really helps the exceptions of that in an organization. So I say, even if you're deploying
a single application and need an identity nexus management for it, it makes sense to deploy
KeyClick for that, because you then don't need to reinvent it yourself, right? And doing user
management right with all the bells and whistles is not a nice thing. So how does KeyClick work in
the end? Like you have a user with maybe a mobile device, maybe with a regular device, and they
log in with KeyClick, so KeyClick presents a login screen, does the handling of all the second
factors that you come about with, and then the user sends from their browser a token to the services
in the cloud, whatever they are, and the application can then either check the token directly by
inspecting the token's cryptographic signature and the timestamp, or it will send this token,
for example, to KeyClick to figure out who's that user, I want to retrieve some additional
information. This is possible. You might also use that token, I don't know, when you're integrating
other authorization services that then return like OPA or something like this, where they come up with
is this user allowed to access this service or not. So that's the basic setup, and KeyClick,
you can deploy it as a single container connected to a bunch of databases that you
can choose from, be it Postgres, MySQL, Maria, Oracle, MSSQL server, usually, well, as an admin,
you don't, or even as a developer, you don't have a choice, like usually an organization has chosen
a database, they know well how to do backups, how to restore, how to operate them, so we give
you a choice which database to connect to, and then you have KeyClick either deployed as a single
whatever binary container, or you deploy it using an operator with a high availability setup
to the Kubernetes of your choice, to the bare metal of your choice, that's what you do and do.
And well, this is what users then usually see when you don't customize a login stream,
it's a username and password, right? And once I log in, let's see if the demo goes with me,
so I'm logging in here, maybe it's expired, oh it hasn't expired yet, so I get an admin screen here,
so where I can set up clients, basically clients or applications, and have client scopes,
users groups, so all of this and rows somewhere as well, right?
I can configure all these in a web UI and it will, in a very basic installation,
will just start to be in the database of KeyClick, and it will then take care of all that.
So, yeah, that's a simple start, you have your application, it's secured, it's all working well,
but then, yeah, you usually don't start in the green field, that's very rare, so you need to
become a bit more flexible in what you're doing and to integrate with all the existing stuff that's
already in your organization. So for example, there might be one LDAP, there might be many
LDAPs in your organization, I think it tends like whenever there's a merger there might be other
LDAPs joining, other user factories joining that you want to integrate with and there's Kerberos,
so people might be already authenticated on their machines, especially in corporate environments,
there might be some service around in your organization or external to it, but it only
talks summer and your applications want to talk open or disconnect, so it's great to put KeyClick
there in between, there might be also other OpenID Connect things, but then why would you put OpenID
with KeyClick in between? Yeah, well KeyClick can train it to summer or KeyClick can also
give the right tokens to the right application because maybe your this one application is on a
special diet to require that or the other attributes in the right tokens and KeyClick can do that in
the way this application is then finally working. You can also create your own extensions to KeyClick,
so for that you need to get familiarize yourself with a bit of Java and then you can integrate
custom stores, you might have, well it's called legacy usually for a good reason because maybe
the old systems, the customers are known to those systems, they make money, you can't shut them off
and you want to integrate KeyClick with existing user stores, you can do that, you can then connect
it to a database directly, call some rest services, wherever you get these information from and make
it work and also we might hear later today about SCIM integration, all that is then possible by adding
extensions to KeyClick on this area. So we use everything that is already there and integrate
and connect with that, so that's very, I say, essential on your day two things when you say
yes KeyClick is cool, single sign on works, but then you need to integrate with a lot of stuff
and yeah, KeyClick hopefully makes that a lot simpler for you.
All right, so that's, yeah, some diagrams around that, so identity brokering, Kerberos,
Samo, OpenID Connect, you can connect to those and yeah, we can show that in the demo shortly,
well the good thing about Kerberos is you don't have, your user might not see KeyClick at all,
look, well the user tries to actually see the application, the application wants to get an
OpenID Connect token or some Samo token, it forwards the browser to KeyClick, KeyClick will
negotiate with the browser that the user already logged in using Kerberos and then
will not even show the login screen but forward directly to the application back with the right
token so the user can continue, so the user will never see the login screen, so there's Kerberos,
but on the other hand if on that system the user is currently on, Kerberos is not configured
correctly for whatever reason, it will fall back to a login screen and you can use the regular
credentials and then what we see in a second maybe use that credentials and verify these credentials
against an LDOT, so it's yeah, it's like Kerberos but without the Kerberos it works the same way
with the same credentials in the end, we can get all these social logins integrated, so
with those then the user usually has login screen where they pick the right social login provider,
they want to use to authenticate, it might not be the right thing for corporate environments,
but it might be the right thing when you are integrating, well your public
facing website with users coming around that they want to integrate,
yeah and Federation as I said OpenLDOT is their active directory, custom user stores,
you can have none of those when you want to store things only in KeyClick database,
you couldn't have one of those but you can actually have multiple of those as well, so
I wish or I hope for you that you have a simple environment but on the end, on the other side
you can't really choose when you are, I don't know, there's another merger coming around the corner
and or yeah then you might have another directory to integrate or maybe a customer has some users
they want to bring there and you want to integrate as well, so yeah looking at the demo,
so you can identity providers that would be OpenLD Connect, all the social logins that you
want to integrate with here, they're here either custom or predefined with some defaults or some
sensible defaults, user Federation I already configured LDAP here, so LDAP telling you okay
this is, yeah I'm running some patchy directory server here locally on my machine because it was
simple to set up, the usual LDAP I'll say, I can choose if it's a read-only writable or
synchronized, all these things are here and then yeah not all OpenLDOTs are, or sorry,
no not all LDOTs are the same, they need some special configuration seen here,
yeah and you can configure it that it matches the organization, there's usually also some
methods so there are lots of attributes in LDAP that you want to leverage either to put them into
the tokens, that you want to pass on to the applications or that you want to leverage and the
user into endpoint where the application can then carry those if you don't want to put them in the
token, so all these things can be configured here mapped on a per realm, per LDAP connection in the
needed to work, eventually you can also configure it on which application should get what kind of
attribute and what kind of token, yeah but then it's the real world catching up on this,
the simply can make you set up the better you'll be off but on the other hand you need to make it
working with the things you have and I, well we're hoping that we got Keeklog in a way that it's not
standing in your way, so let's go on to day three, a limited turn, so all these repetitive tasks that
you have to do every day when it comes to users, they're well annoying for admins and also annoying
for users, ideally they want to do these things themselves, they don't want to be bound to some
opening hours of IT or so some things, I've shown a minute as users required actions to
basically you can as an admin choose, well as an admin you might have sent out an email please
enable second factor and you sent another email saying please finally enable second factor for
login and then you say well now's the time I go through maybe all of my users or some of my users
let's, on the next login they need to must enable the second factor no matter what, so you can do
that as an admin and you're done because no one will enter your system without a second factor enabled.
Also password recovery, you can add a link to the login screen we will do in a second
that you can do password recovery that you send out an email, click, the user can click on a link
and you will, it works with an external with an external database of key cloak but it will also
work when the user's on an LDAP, it would also work when the user's on an active directory,
also well this kind of bits work when you're using the password recovery mechanisms of key cloak.
Also well in a corporate environment you might not want to self register for people right,
so they probably need to sign a paper contract first but then on the internet on the public
facing side you want the people to self register, again this is something that comes with key cloak.
Also once you're registered you want to maintain the data yourself as a user maybe update your
mailing address, your blog, your social handles whatever all these things should be managed by
the user themselves and key cloak allows you to do that and this is something that
greatly improved over the last releases in key cloak 23, you can enable it as a preview feature
and we are pretty sure that we will have that in the final release of key cloak 24 enabled by default
so that you can really use that in a very good and configurable way.
So yeah and it's great to resolve the need for either phone calls or tickets or chats in nowadays right.
So let's go back to these required actions so there are lots of them so let's maybe have a look here.
So in authentication for each realm I can really decide what I want people to be required when
they log in or to be checked when they log in for example one-time passwords,
maybe you want to have them confirm the terms and conditions, I need updating the password,
update profile, verify email address that we sent out an email with a link people can click on it.
So that's for public facing registration very useful. WebAlhtim is in there, people should be able
to choose their locale, we want to verify them the profile and I can enable those and maybe
also have maybe some policies when and why and then on the realm settings I can, well this is
basically the tab called login which configures the login screen and I say okay from now on user
registration should be enabled right. For good password flow yeah I want to have a link there
where I want to allow that people can reset their passwords and once I do this I can just
when I sign out here now these fields have appeared so for god password link is here
and I'm asked for my username and email address and I have a register button where I can register
with some fields that are here required and if I then log in again and we go for the
user profile, yeah there we are. So this is the configuration where I can say
these are the fields that exist that should exist for both the admin to be edited in the admin UI
they should these are the fields that should exist on the user self registration form
and those are also the fields that are available for user self management.
So basically you can think of this as a form configurator and for each of these fields I can
go in and say okay this is the name to be there's an attribute name like a technical name I can
reference it by later a display name well this is an automatically localized name here but you can
put a simple name in here as well I have attribute groups here so we can group things on the form
for each field I can decide who can edit this either a user or an admin who can view this either
the user or the admin and then can put lots of validations on top of each field about the length
for the username it's the minimum length of three the maximum length of 255 characters for username
I can there some prohibited characters so you should use regular keyboard characters for that
we also don't want to have any homographs in here basically letters looking like real letters
from a Latin alphabet for example but they're actually from a very different alphabet so you
could have like a user registering with a username that looks like an already existing username it
might need to lead to confusion so that's a really sensible good security by default so
and I can add more things here I can also add annotation and saying how should this element
be formatted should it be an input type should it be a helper below and below the input size the columns
I can also reorder those so it's it's basically a form builder and the form builder will be
consistent in all three places user self registration user admin form and or admin form for users and
user self management right so when I go here for example the block so I can I can change it here
with a different display name and once I go to as an let's do that as an admin to manage my own
account then I would see here okay now it's renamed and another field here and I can then choose when
is this shown is it shown is it mandatory on on first login is it maybe mandatory once a month
like it can have maybe a scheduled process that inserts that actions on each login once a month
and then I can see here all these things are then how I configure my login flow and have this
information populated by my users so yeah we saw that we saw that as well right we have this recovery
we have seen the configuration how we can configure those with validations and attributes and all
necessary information and again the three areas where you have the admin we on the left in the
middle the registration screen and on the right the personal information the users can self manage
and all this information is either stored in key cloaks local database or if you then choose to
store it in an external service like LDAP it will be stored in the external service of LDAP
right so that's basically almost the end so while we saw day one singer sign on is cool and it makes
a lot of sense to not reinvent yeah identity and access management even for a single application
database you want to get more flexible and integrate with a lot of existing security
infrastructure in your organization once you are a happy user of key cloak and then day three it
allows you a lot of automation around users when you really want to scale especially when you if
you want to scale with lots of users signing up on the internet and if they want to manage their
stuff on their own and you don't want to get calls from them or emails and stuff
so I brought some links so this is the key cloak homepage please pay the visit we have some docs
on there how to install it the key cloak nightly release I linked it directly so and if you go
there you can download the zip file if and extract it but there's also a docker registry
on kio that you can yeah have a container built ready for that with a nightly release
if you're on github please give us a store there's the key cloak book second edition that
been published last year so if you've been using key clock maybe two or three years ago
you might know that this was based on eap and wi-fi it was now moved to quarkus so some of the
things changed so it might be good to look at this second edition something that is my of my very
personal goals I want to start a key clock hour of code so to get more people into contributing
so I'm planning for maybe once a month maybe every two weeks I think an online session
um to get people familiarized with coding how we do how do we code in key cloak how do you maybe
contribute documentation how do you um yeah how do things work around key cloak and at some point
we also want to bring in community to also review issues helping with triaging those helping if
another community member creates a pull request maybe it also the community joins in and helps
and helps to get that to a material level that we can merge it in so that would get some
some weight from the shoulders of the maintainers that would be great so that's my my thing for
this year I want to try out yeah so that's me so I'm around for the rest of the day so meet me
here meet me in a hallway I also have some stickers of key cloak some postcards if you
want to sell key to your managers or friends or colleagues so send them a foster postcard with
key to it thank you very much all right we might have like two questions or something yeah
and what is the best way to configure key cloak declaratively so um usually want to use the UI to
figure out what's there and how it works and then you can one way is to maybe export the full realm
as a JSON and then re-import it so that's like the full export full import there's also the chance
that you there's a terraform hopefully open tofu compatible key cloak provision mechanism as well
and there's a rest interface so you might use a rest interface to yeah use this API to configure it
and there's a command line interface as well but the command line interface is basically a
wrapper around the rest interface so that you can yeah configure different settings of a given client
or maybe override the client with a new config that kind of way but it then depends on how you
want to do things if you have the chance to um I don't know delete it and re-import it might be
very helpful for test environments or if you're more bound to um incremental like database scheme
immigration style of things that you really want to things like one step at a time and always in
that order and maybe open tofu would take some shortcuts that might not work but you want to
have maybe some migration so it's depending on what you want to do but it's the good news is it's all
automatable. Just one question how key cloak can be beneficial in Linux ecosystem? So how can key cloak
be beneficial in a Linux ecosystem so like if you then logging into you say um with a SSH somewhere
or I haven't seen it this way but it kind of connects very well if you have like for example
Kerberos around so if you have Kerberos I have them on my machine as well when I'm in a corporate
environment that key cloak can leverage that okay maybe then okay to repeat it for the video so
there was a talk on 20 23 on FOSTEM on password list authentication on Linux here at FOSTEM right
okay one note there's a redhead SSO Ansible Collection yeah okay okay yeah so there's also
redhead SSO Ansible Collection that allows you to configure key cloak right yeah the old name well
key cloak is the upstream project it's a CNCF project there's also redhead SSO like the thing that
you get with a subscription from redhead where you find tools that work with that as well and from
end of last year there's no longer redhead SSO but redhead build of key cloak so it's going to be
easier to find in the future so whenever you need so for something for key cloak it will be both the
upstream project and that what of redhead offers for a subscription okay I think this time is up
thank you very much