Announcing: Red Hat Single Sign-On 7.1 GA Is Available

We are proud to announce general availability of Red Hat Single Sign-On 7.1 (RH-SSO). RH-SSO is a standards-based, out-of-the-box authentication, web single sign-on, and authorization service, which mediates between your enterprise user directory or third-party identity provider for identity information and your applications via standards-based tokens.

Documentation and downloads are available in the Customer Portal. RPM packages are available for Red Hat Enterprise Linux 6 and 7 systems through Red Hat Subscription Management.

Features and Highlights

OPENID CONNECT CERTIFICATION

The Keycloak version included in Red Hat Single Sign-On (RH-SSO) 7.1 conforms to the 5 OpenID Connect profiles: Basic, Implicit, Hybrid, Config, and Dynamic. Certification was achieved in Keycloak v2.3 (http://openid.net/certification/). Future RH-SSO versions will remain compatible with these profiles, unless documented otherwise.

 

CLIENT ADAPTER FOR RED HAT JBOSS FUSE

RH-SSO 7.1 features a new client adapter for Red Hat JBoss Fuse, which enables securing web application archives (WARs), servlets, Apache routes and Apache CXF endpoints deployed on JBoss Fuse, in both Apache Karaf and Red Hat JBoss Enterprise Application Platform (JBoss EAP).

 

NODE.JS CLIENT ADAPTER

RH-SSO 7.1 includes a new Node.js client adapter, which enables use of RH-SSO 7.1 Server for authentication and web single sign-on for Node.js applications.

 

EXTERNALIZED AUTHORIZATION SERVICE

RH-SSO 7.1 introduces a new authorization service feature-set, based on the User Managed Access specification. This enables RH-SSO 7.1 Server to act as a policy administration point, policy decision point, or policy information point, separating the authorization logic from the application.

 

USER STORAGE SPI

RH-SSO 7.1 features a new user storage SPI that you can use to implement your own custom user storage federation provider, such as a relational or NoSQL database, to enable federation of users from any user store.

 

SSSD INTEGRATION

RH-SSO 7.1 adds an integration with System Security Services Daemon (SSSD) in Red Hat Enterprise Linux (RHEL) 7.3. This enables use of SSSD as a user federation provider in front of a Microsoft Active Directory forest.

 

CLIENT REGISTRATION CLI

RH SSO 7.1 introduces a command-line interface (CLI) for developers to register client applications on RH-SSO Server.

 

Five Links: Dusting the Bookshelf Edition

Happy Friday, everyone!

There really isn’t a trend to the types of articles I’ve been hitting this week; there’s been a cornucopia of different topics, from security to leadership.

happy-friday-pics

Image credit: Quotes n Thoughts

Continue reading “Five Links: Dusting the Bookshelf Edition”

Announcing: Red Hat Single Sign-On 7.1 Beta Is Available

We are excited to announce beta availability of Red Hat Single Sign-On 7.1 (RH-SSO). RH-SSO is a standards-based, out-of-the-box authentication, web single sign-on, and authorization service, which mediates between your enterprise user directory or third-party identity provider for identity information and your applications via standards-based tokens.

Beta documentation and code downloads are available in the Customer Portal. RPM packages are available for Linux systems through Red Hat Subscription Management.

Features and Highlights

Continue reading “Announcing: Red Hat Single Sign-On 7.1 Beta Is Available”

Five Links: Make Me Feel Safe Edition

Happy Friday, everyone.

The last few weeks have seen a series of DDOS attacks taking out major services through vulnerabilities in IoT security, outages from human error, and data breaches from major players like Yahoo and less reputable ones as well. There are a lot of different attack vectors and different types of information that is vulnerable — and this highlights the thin line between security and risk. Security is not exactly a buzzword and it doesn’t get a lot of attention until (like insurance, a warm coat, or a full tank of gas) you really need it. That’s this week’s theme — data security and privacy.

funny-memes-safe-risky

Continue reading “Five Links: Make Me Feel Safe Edition”

Announcing Integrated Web Single Sign-On and Identity Federation

Red Hat recently released a new web single sign-on (SSO) server, based on the upstream Keycloak project. Now you have an out-of-the-box SAML 2.0 or OpenID Connect-based identity provider, fully supported, which mediates with your enterprise user directory or third-party identity provider for identity information and your applications via standards-based tokens. Keycloak is the next-generation replacement for PicketLink in the JBoss middleware technologies. Eventually, Keycloak will also provide single sign-on for Red Hat Cloud Suite and management products like Red Hat Satellite.

Feature Overview

At its core, Keycloak is a SAML 2.0 or OpenID Connect-based identity provider.

There is more information on the Customer Portal to go in-depth into features and configuration.

Client Support

Keycloak has a central identity server, and clients connect to it through their identity management configuration, assuming they have the appropriate adapter or module.

Keycloak supports a number of different clients:

  • Red Hat JBoss Enterprise Application Platform 6.4 and 7.0
  • Red Hat JBoss Fuse 6.2 (as tech preview)
  • Red Hat Enterprise Linux 7.2, through the mod_auth_mellon module for SAML 2.0

Identity Federation

Keycloak can be used for user federation with LDAP-based directory services, including:

  • Microsoft Active Directory
  • RHEL Identity Management

Additionally, Keybloak supports SPNEGO-based Kerberos with both Microsoft Active Directory and RHEL Identity Management.

Identity Brokering

Keycloak integrates with social login providers for user authentication, including:

  • Facebook
  • Google
  • Twitter

Administrative Interfaces

The Keycloak server, identity realms, and clients can be administered through a web-based GUI or through REST APIs. This allows you to completely design the sign sign-on environment, including users and role mapping, client registration, user federation, and identity brokering operations.

Subscriptions and support lifecycle

Single sign-on is currently  available via the JBoss Core Services Collection, on a 3-year support lifecycle. We anticipate offering Keycloak-based SSO as a service on Red Hat OpenShift Container Platform and Red Hat Mobile Application Platform, and as a federated identity provider for Red Hat OpenStack Platform.

The long-term vision is that Keycloak can be used to centralize user and client identities and to federate identity providers. This will stretch across existing infrastructure such as internal user directories or external cloud-based identity providers, such as social networks, and will provide SSO and identity federation across Red Hat products.