Security
Reader small image

You're reading from  Keycloak - Identity and Access Management for Modern Applications - Second Edition

Product typeBook
Published inJul 2023
PublisherPackt
ISBN-139781804616444
Edition2nd Edition
Tools
Keycloak
Concepts
Cybersecurity
Right arrow
Authors (2):
Stian Thorgersen
Stian Thorgersen
author image
Stian Thorgersen

Stian Thorgersen started his career at Arjuna Technologies building a cloud federation platform, years before most companies were even ready for a single-vendor public cloud. He later joined Red Hat, looking for ways to make developers' lives easier, which is where the idea of Keycloak started. In 2013, Stian co-founded the Keycloak project with another developer at Red Hat. Today, Stian is the Keycloak project lead and is also the top contributor to the project. He is still employed by Red Hat as a senior principal software engineer focusing on identity and access management, both for Red Hat and for Red Hat's customers. In his spare time, there is nothing Stian likes more than throwing his bike down the mountains of Norway.
Read more about Stian Thorgersen

Pedro Igor Silva
Pedro Igor Silva
author image
Pedro Igor Silva

Pedro Igor Silva is a proud dad of amazing girls. He started his career back in 2000 at an ISP, where he had his first experiences with open source projects such as FreeBSD and Linux, as well as a Java and J2EE software engineer. Since then, he has worked in different IT companies as a system engineer, system architect, and consultant. Today, Pedro Igor is a principal software engineer at Red Hat and one of the core developers of Keycloak. His main area of interest and study is now IT security, specifically in the application security and identity and access management spaces. In his non-working hours, he takes care of his planted aquariums.
Read more about Pedro Igor Silva

View More author details
Right arrow

Managing Users

In the previous chapters, you learned how to deploy, run, and use Keycloak to authenticate and authorize users in your applications. You also learned how to manage users in Keycloak to run some of the examples in this book.

In this chapter, we are going to take a closer look at the capabilities provided by Keycloak that are related to identity management and federation, such as how users are created and managed, how users can manage their own accounts, how to manage credentials, and how to integrate with different identity stores and identity providers to authenticate users and fetch their information through open protocols such as OpenID Connect, Security Assertion Markup Language (SAML), and Lightweight Directory Access Protocol (LDAP).

In this chapter, we will cover the following topics:

  • Managing local users
  • Integrating with LDAP and Active Directory
  • Integrating with social identity providers
  • Integrating with third-party identity...

Technical requirements

Check out the following link to see the Code in Action video:

https://packt.link/wrTJi

Managing local users

In the previous chapters, you had to create users in Keycloak to run some of the examples provided in this book. In this section, we are going to deep-dive into some key capabilities provided by Keycloak to manage your users once they are stored in Keycloak’s internal database. From now on, whenever you read about a local user, you can think of it as a user stored in a Keycloak database.

As an identity management solution, Keycloak gives you several capabilities to manage user identities. In this section, we will look at the following topics:

  • How to create users
  • How to manage user credentials
  • How to obtain and validate user information
  • How to enable user self-registration
  • How to extend user information using attributes

In the next section, we are going to start our journey by looking at how to create a local user in Keycloak.

Creating a local user

To create a new user in Keycloak, click on the Users...

Integrating with LDAP and Active Directory

Many organizations still use an LDAP directory as their single source of truth for digital identities. Keycloak allows you to integrate with different LDAP server implementations so that you can leverage your existing security infrastructure and use all the authentication and authorization capabilities provided by Keycloak.

Keycloak can integrate using LDAP in different ways; it can act as a stateful broker where data from your LDAP directory is imported into the Keycloak database, as well as kept in sync with your LDAP directory, or it can act as a stateless broker delegating credential verification to your LDAP directory. You should also be able to set up multiple LDAP directories within a single realm and configure a priority order that Keycloak should respect when authenticating users.

In Keycloak, the term “user federation” refers to the capability to integrate with external identity stores. LDAP is a form of user...

Integrating with third-party identity providers

Keycloak can integrate with third-party identity providers using a set of open standard protocols.

In the previous section, you learned about user federation and how to easily integrate with LDAP. Now, you are going to learn about brokering and how to leverage user federation to create cross-domain trust between Keycloak and an identity provider using standard authentication protocols, where the identity data about users is shared and used by Keycloak to create, authenticate, and authorize users.

Integration with third-party identity providers is made possible by using Keycloak as an identity broker, where Keycloak acts as an intermediary service for authenticating and replicating users from a targeted identity provider.

Identity brokering can solve different types of problems. As we will see in the next section, it can be used to integrate with social providers, as an integration point for a legacy identity and access management...

Integrating with social identity providers

A common requirement for applications that use Keycloak is the possibility to authenticate users using different social providers, such as Google, GitHub, Instagram, and Twitter.

Integration with social providers follows the same principles that you learned about in the previous section, where Keycloak acts as a broker to authenticate and exchange identity data about users using a well-known and open standard security protocol.

To integrate with a social provider, click on the Identity Providers link in the left-hand side menu.

Keycloak allows you to select from different social providers. To integrate with them, you only need to fill in some information, which you usually obtain from the social provider you are integrating with.

Let’s configure GitHub as a social provider to allow users to authenticate using their GitHub account. Firstly, make sure you have a valid GitHub account. If not, you can create one at https...

Allowing users to manage their data

In the previous sections, you learned how to manage users through the admin console as an administrator. You also learned that users can self-register in a realm. However, one of the main capabilities of Keycloak is to also allow users to manage their own accounts through a service called Keycloak account console.

The Keycloak account console is a regular application provided by Keycloak and is where users can manage their own accounts. They can also do the following:

  • Update their user profile
  • Update their password
  • Enable second-factor authentication
  • View applications, including what applications they have authenticated to
  • View open sessions, including remotely signing out of other sessions

To access the account console, open http://localhost:8080/realms/myrealm/account/ in a browser. You will be redirected to a welcome page, as follows:

Figure 10.10: The Keycloak account console

To log...

Summary

In this chapter, you were presented with the main aspects of user management in Keycloak. You learned that users can be created directly in Keycloak or by integrating with different third-party identity providers and external identity stores. You also learned that Keycloak enables these integrations by leveraging open standard protocols such as OpenID Connect, SAML, and LDAP. You also learned that users are provided with capabilities to sign up for a realm, either by enabling self-registration to a realm or by integrating with a third-party provider. Finally, you learned that users can also manage their accounts through the Keycloak account console.

In the next chapter, we are going to look at how users can authenticate using different credentials, as well as how Keycloak is the perfect fit for strong authentication.

Questions

  1. Can I integrate my own user database with Keycloak?
  2. Does Keycloak query the LDAP directory every time the user authenticates?
  3. How do I differentiate users that have been created using a third-party or social identity provider?

Further reading

For more information on the topics that were covered in this chapter, you can refer to the following links:

Join our community on Discord

Join our community’s Discord space for discussions with the authors and other readers:

https://packt.link/SecNet

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 11 of 18
Next Chapter
You have been reading a chapter from
Keycloak - Identity and Access Management for Modern Applications - Second Edition
Published in: Jul 2023Publisher: PacktISBN-13: 9781804616444
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime

Authors (2)

author image
Stian Thorgersen

Stian Thorgersen started his career at Arjuna Technologies building a cloud federation platform, years before most companies were even ready for a single-vendor public cloud. He later joined Red Hat, looking for ways to make developers' lives easier, which is where the idea of Keycloak started. In 2013, Stian co-founded the Keycloak project with another developer at Red Hat. Today, Stian is the Keycloak project lead and is also the top contributor to the project. He is still employed by Red Hat as a senior principal software engineer focusing on identity and access management, both for Red Hat and for Red Hat's customers. In his spare time, there is nothing Stian likes more than throwing his bike down the mountains of Norway.
Read more about Stian Thorgersen

author image
Pedro Igor Silva

Pedro Igor Silva is a proud dad of amazing girls. He started his career back in 2000 at an ISP, where he had his first experiences with open source projects such as FreeBSD and Linux, as well as a Java and J2EE software engineer. Since then, he has worked in different IT companies as a system engineer, system architect, and consultant. Today, Pedro Igor is a principal software engineer at Red Hat and one of the core developers of Keycloak. His main area of interest and study is now IT security, specifically in the application security and identity and access management spaces. In his non-working hours, he takes care of his planted aquariums.
Read more about Pedro Igor Silva

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages