enterprise security with keycloak - red hat€¦ · enterprise security with keycloak from the...
TRANSCRIPT
ENTERPRISE SECURITYENTERPRISE SECURITYWITH KEYCLOAKWITH KEYCLOAKFrom the Intranet to Mobile
By Divya Mehra and Stian Thorgersen
PROJECT TIMELINEPROJECT TIMELINE
AGENDAAGENDA
THE OLD WAYTHE OLD WAYSecuring monolithic web app relatively easyUsername and password formCredentials verified against table in DBHTTP Session storessecurity context
IT'S NOT JUST A FORM ANDIT'S NOT JUST A FORM AND
A TABLE ANYMOREA TABLE ANYMORE
Enterprise software has changedNo longer one or two apps inside firewallNow we have manyseparate systemsExposed to mobile usersand partners
THE NEW WAY?THE NEW WAY? Multiple apps Multiple variants of each app Multiple servicesMultiple user dbs Multiple loginsOutside firewall
AUTHENTICATIONAUTHENTICATIONPasswords not sufficientUsers create bad passwords (123456 and password)Passwords policies help, but no guaranteeUsers reuse passwordsPasswords can be lostSecure storage is requiredNeed two-factor authentication
APP TYPESAPP TYPESHave to deal with many app, variants & programminglanguages
Client-side and server-side webMobile (native and hybrid)APIs/Services...
MOBILEMOBILEUsers don't want to login frequentlyDon't store username and password on phoneWhat if device is lost?Sessions and cookies aren't idealRequires public services
SINGLE SIGN-ONSINGLE SIGN-ONNot as trivial as it may seemSingle Sign-Out can be even harderNeed Remote Sign-Out
MANAGEMANAGEAppsServicesUsersDevicesPermissionsSessions and logs
and.. Ideally manage everything from one console
SELF SERVICESELF SERVICEUsers can manage their own accountsRecover passwordUpdate profileEnable two-factor authenticationManage sessionsAccount history
and.. Ideally manage everything from one console
INTEGRATIONINTEGRATIONThird party appsExisting InfrastructureNew Infrastructure after acquisitionExternal usersSocial networks
VULNERABILITIESVULNERABILITIESBroken Authentication and Session Management is#2 on Open Web Application Security Project(OWASP) Top Ten listRecommendation is to not implement your own!
PROTOCOLSPROTOCOLSOpenID ConnectSAML 2.0
OPENID CONNECTOPENID CONNECTBuilt on OAuth 2.0RESTfulJSONEasy to useLess mature - final spec released last year
SAML 2.0SAML 2.0XMLHarder to use and understandMature - 1.0 was adopted as an OASIS standard in2002
TOKENSTOKENSDecouples authenticationCross-domainStatelessOnly sent when neededStandards based
AUTHENTICATIONAUTHENTICATIONAuthenticate with KeycloakLogin forms provided by KeycloakTwo-factor authenticationRequires SSLPasswords are salted and hashed with PBKDF2
Iterations configurable
<button onclick="keycloak.login()">Login</button>
Welcome App
Login to Keycloak realm
Logged-in to Welcome App
APP INTEGRATIONAPP INTEGRATIONKeycloak Client AdaptersKeycloak ProxyOpenID Connect Resource Provider librarySAML Service Provider library
CLIENT ADAPTERSCLIENT ADAPTERSJBoss EAP & WildFlyJBoss FuseJBoss BRMSJavaScriptNodeJSMobile (Apache Cordova and Native)SpringTomcat, JettyMore coming (contributions welcome!)
EXAMPLEEXAMPLESimple example to demonstrate featuresTwo HTML5 applicationsRESTful services deployed to WildFly
ADMIN CONSOLEADMIN CONSOLEConfigure and manage everything from oneconsoleIncluding settings, applications, services,users, permissions and sessions
Admin Console - Realm settings
Admin Console - Clients
Admin Console - Client settings
Admin Console - User settings
Admin Console - User role mappings
ACCOUNTACCOUNTMANAGEMENTMANAGEMENTA console for users to manage their ownaccount
Account Management - Profile
Account Management - Password
Account Management - Applications
Account Management - Account history
SINGLE SIGN-ONSINGLE SIGN-ONWeb SSOEnterprise/Desktop SSO Bridge (Kerberos)Single Sign-OutRemote Sign-Out
THEMESTHEMESBrand login pages and account management tointegrate with your corporate brandHTML templates for more than just styling
Login - Default theme
Admin Console - Configure theme
Login - Summit theme
LOGIN FLOWSLOGIN FLOWSRequired actionsRecover passwordTwo factor authenticationRegistration
Admin Console - Login settings
Login - Extra features enabled
Login - Configure two factor authentication
Login - Update profile
PASSWORD POLICIESPASSWORD POLICIESSet required complexity for passwordsPrevent reuse of old passwordsRequire regular updating of passwordsSet hashing intervals
Admin Console - Password policies
Login - invalid password update
USER FEDERATIONUSER FEDERATIONSync users with external directoriesRead-only or read-write
Admin Console - Add LDAP user federation
Admin Console - User federation
IDENTITY BROKERINGIDENTITY BROKERINGAllow external users to sign-onSupports sign-on withsocial networks
Admin Console - Add SAML Identity Provider
Admin Console - Identity Providers
Login - Identity Brokering
MAPPERSMAPPERSCustomize tokensMap claims and attributes from external tokensMap attributes and groups from LDAP
Admin Console - Token mappers
Admin Console - Identity Provider mappers
Admin Console - LDAP mappers
VULNERABILITIESVULNERABILITIESStandard ProtocolsBuilt-in Brute Force protectionIntegrate with Intrusion DetectionProtected against known attacksPatches