Getting Started With The Keycloak Single Sign-On Operator

Modern application environments are complex and getting more complex every day. The environments need to support multiple deployment infrastructures, application architectures, programming languages, and frameworks. 

It can be challenging and time-consuming for operations and development teams to be experts in all of the different technologies in order to install, configure, and maintain them. Kubernetes operators help streamline the installation, configuration, and maintenance complexity.

Keycloak is a single sign-on solution for web apps and RESTful web services. The goal of Keycloak is to make it easy for application developers to secure their apps and services. Security features that developers normally have to write for themselves are provided out of the box and are easily customizable to the individual requirements.

Keycloak supports standard protocols like OAuth 2.0, OpenID Connect, SAML 2.0.  It provides a number of features including:

  • Acts as a centralized authentication server
  • Provides user federation to sync users from LDAP and Active Directory servers
  • Integrates with 3rd party identity providers including social networks
  • Provides Rest APIs and an administration GUI for central management of users, roles, role mappings, clients and configuration.

The installation and configuration of the Keycloak SSO server on OpenShift can now be automated using the operator.  The operator creates the following Kubernetes resources:

  • Keycloak Server
  • Keycloak Realm
  • Keycloak Backup
  • Keycloak Client
  • Keycloak User

[Video] Getting Started With The Keycloak SSO Operator

If you are interested in learning more, take a look at the following resources:

Announcing: Red Hat Single Sign-On 7.1 Beta Is Available

We are excited to announce beta availability of Red Hat Single Sign-On 7.1 (RH-SSO). RH-SSO is a standards-based, out-of-the-box authentication, web single sign-on, and authorization service, which mediates between your enterprise user directory or third-party identity provider for identity information and your applications via standards-based tokens.

Beta documentation and code downloads are available in the Customer Portal. RPM packages are available for Linux systems through Red Hat Subscription Management.

Features and Highlights

Continue reading “Announcing: Red Hat Single Sign-On 7.1 Beta Is Available”

Seamless developer portal authentication with 3scale and RHSSO

3scale rhsso

About four months ago, Red Hat announced that it was acquiring 3scale. (Almost two years ago, Red Hat and 3scale announced a joint solution relationship for 3scale’s API Management Platform and Red Hat’s Middleware portfolio.) As the acquisition settles in, 3scale is already starting to integrate with middleware products, which will strengthen developers’ abilities to design and implement API initiatives and services.

This first point of integration is between the 3scale Management Platform and Red Hat Single Sign-On: more specifically, for the developer portal authentication.

Continue reading “Seamless developer portal authentication with 3scale and RHSSO”

Announcing Integrated Web Single Sign-On and Identity Federation

Red Hat recently released a new web single sign-on (SSO) server, based on the upstream Keycloak project. Now you have an out-of-the-box SAML 2.0 or OpenID Connect-based identity provider, fully supported, which mediates with your enterprise user directory or third-party identity provider for identity information and your applications via standards-based tokens. Keycloak is the next-generation replacement for PicketLink in the JBoss middleware technologies. Eventually, Keycloak will also provide single sign-on for Red Hat Cloud Suite and management products like Red Hat Satellite.

Feature Overview

At its core, Keycloak is a SAML 2.0 or OpenID Connect-based identity provider.

There is more information on the Customer Portal to go in-depth into features and configuration.

Client Support

Keycloak has a central identity server, and clients connect to it through their identity management configuration, assuming they have the appropriate adapter or module.

Keycloak supports a number of different clients:

  • Red Hat JBoss Enterprise Application Platform 6.4 and 7.0
  • Red Hat Fuse 6.2 (as tech preview)
  • Red Hat Enterprise Linux 7.2, through the mod_auth_mellon module for SAML 2.0

Identity Federation

Keycloak can be used for user federation with LDAP-based directory services, including:

  • Microsoft Active Directory
  • RHEL Identity Management

Additionally, Keybloak supports SPNEGO-based Kerberos with both Microsoft Active Directory and RHEL Identity Management.

Identity Brokering

Keycloak integrates with social login providers for user authentication, including:

  • Facebook
  • Google
  • Twitter

Administrative Interfaces

The Keycloak server, identity realms, and clients can be administered through a web-based GUI or through REST APIs. This allows you to completely design the sign sign-on environment, including users and role mapping, client registration, user federation, and identity brokering operations.

Subscriptions and support lifecycle

Single sign-on is currently  available via the JBoss Core Services Collection, on a 3-year support lifecycle. We anticipate offering Keycloak-based SSO as a service on Red Hat OpenShift Container Platform and Red Hat Mobile Application Platform, and as a federated identity provider for Red Hat OpenStack Platform.

The long-term vision is that Keycloak can be used to centralize user and client identities and to federate identity providers. This will stretch across existing infrastructure such as internal user directories or external cloud-based identity providers, such as social networks, and will provide SSO and identity federation across Red Hat products.