Announcing Integrated Web Single Sign-On and Identity Federation

Red Hat recently released a new web single sign-on (SSO) server, based on the upstream Keycloak project. Now you have an out-of-the-box SAML 2.0 or OpenID Connect-based identity provider, fully supported, which mediates with your enterprise user directory or third-party identity provider for identity information and your applications via standards-based tokens. Keycloak is the next-generation replacement for PicketLink in the JBoss middleware technologies. Eventually, Keycloak will also provide single sign-on for Red Hat Cloud Suite and management products like Red Hat Satellite.

Feature Overview

At its core, Keycloak is a SAML 2.0 or OpenID Connect-based identity provider.

There is more information on the Customer Portal to go in-depth into features and configuration.

Client Support

Keycloak has a central identity server, and clients connect to it through their identity management configuration, assuming they have the appropriate adapter or module.

Keycloak supports a number of different clients:

  • Red Hat JBoss Enterprise Application Platform 6.4 and 7.0
  • Red Hat Fuse 6.2 (as tech preview)
  • Red Hat Enterprise Linux 7.2, through the mod_auth_mellon module for SAML 2.0

Identity Federation

Keycloak can be used for user federation with LDAP-based directory services, including:

  • Microsoft Active Directory
  • RHEL Identity Management

Additionally, Keybloak supports SPNEGO-based Kerberos with both Microsoft Active Directory and RHEL Identity Management.

Identity Brokering

Keycloak integrates with social login providers for user authentication, including:

  • Facebook
  • Google
  • Twitter

Administrative Interfaces

The Keycloak server, identity realms, and clients can be administered through a web-based GUI or through REST APIs. This allows you to completely design the sign sign-on environment, including users and role mapping, client registration, user federation, and identity brokering operations.

Subscriptions and support lifecycle

Single sign-on is currently  available via the JBoss Core Services Collection, on a 3-year support lifecycle. We anticipate offering Keycloak-based SSO as a service on Red Hat OpenShift Container Platform and Red Hat Mobile Application Platform, and as a federated identity provider for Red Hat OpenStack Platform.

The long-term vision is that Keycloak can be used to centralize user and client identities and to federate identity providers. This will stretch across existing infrastructure such as internal user directories or external cloud-based identity providers, such as social networks, and will provide SSO and identity federation across Red Hat products.

  1. Red Hat SSO is among the neatest projects to come out of the company. I am super excited at its potential :). Keep up the great work!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s