Red Hat recently released a new web single sign-on (SSO) server, based on the upstream Keycloak project. Now you have an out-of-the-box SAML 2.0 or OpenID Connect-based identity provider, fully supported, which mediates with your enterprise user directory or third-party identity provider for identity information and your applications via standards-based tokens. Keycloak is the next-generation replacement for PicketLink in the JBoss middleware technologies. Eventually, Keycloak will also provide single sign-on for Red Hat Cloud Suite and management products like Red Hat Satellite.
At its core, Keycloak is a SAML 2.0 or OpenID Connect-based identity provider.
There is more information on the Customer Portal to go in-depth into features and configuration.
Keycloak has a central identity server, and clients connect to it through their identity management configuration, assuming they have the appropriate adapter or module.
Keycloak supports a number of different clients:
- Red Hat JBoss Enterprise Application Platform 6.4 and 7.0
- Red Hat Fuse 6.2 (as tech preview)
- Red Hat Enterprise Linux 7.2, through the mod_auth_mellon module for SAML 2.0
Keycloak can be used for user federation with LDAP-based directory services, including:
- Microsoft Active Directory
- RHEL Identity Management
Additionally, Keybloak supports SPNEGO-based Kerberos with both Microsoft Active Directory and RHEL Identity Management.
Keycloak integrates with social login providers for user authentication, including:
The Keycloak server, identity realms, and clients can be administered through a web-based GUI or through REST APIs. This allows you to completely design the sign sign-on environment, including users and role mapping, client registration, user federation, and identity brokering operations.
Subscriptions and support lifecycle
Single sign-on is currently available via the JBoss Core Services Collection, on a 3-year support lifecycle. We anticipate offering Keycloak-based SSO as a service on Red Hat OpenShift Container Platform and Red Hat Mobile Application Platform, and as a federated identity provider for Red Hat OpenStack Platform.
The long-term vision is that Keycloak can be used to centralize user and client identities and to federate identity providers. This will stretch across existing infrastructure such as internal user directories or external cloud-based identity providers, such as social networks, and will provide SSO and identity federation across Red Hat products.