What is SSO and why is it worth using?

Single Sign-On is a feature that allows your employees to authenticate their identity once within a given system, instead of doing it every time they access a different company application. It also lets you simplify your apps – there’s no need to create various login forms and authentication mechanisms, and you don’t need to deal with user storage either.

In this article, we’ll show you how to enable SSO in your apps with the use of Keycloak – a well-known and secure solution we’ve used in several projects developed for our clients.

What is Keycloak?

Keycloak is a Java-based, open-source Identity and Access Management tool developed by an American software company called Red Hat – the one you may know for its contributions to GNOME and many other open-source projects. It allows you to securely authenticate and authorize users in your applications.

How does it work? It’s pretty simple. Instead of logging into every single application, users do it once on the Keycloak authentication page. After they provide valid identification data (username and password), the technology verifies their identity and creates a one-time verification code that gets extracted by the app and exchanged for an ID, access, and refresh token. Based on that, the system either grants or denies the user access.

Keycloak – main advantages

Here are some of the biggest benefits offered by Keycloak.

Great SSO without a costly investment in custom software

Keycloak allows you to get a great quality SSO system without creating custom software solutions (which can be very costly and time-consuming). Moreover, you don’t have to pay licensing and maintenance fees.

Main business benefit: you save substantial time and money.

Easy setup and integration

Keycloak is incredibly easy to set up and integrate with your apps and the process requires little to no coding skills. What’s more, you have plenty of deployment options. You can use Keycloak on-premise, but also deploy it on the cloud such as the Azure Kubernetes Service. It all depends on your particular needs.

When it comes to the front end, you can use customizable, pre-made elements such as screens for user processes (password change, log-in, etc.) and GUIs (graphical user interfaces). Forms and libraries allow you to take care of the security flow.

The back end is also pretty easy to take care of. There’s a handy REST API you can use to connect Keycloak to your systems and handle token refreshes, etc.

You can set up a complete logging mechanism using popular social networks, SAML 2.0 Identity Providers (IdP), an existing OpenID Connect, or Active Directory / LDAP servers.

Main business benefit: fast integration means faster implementation of the app in your company. You also have the flexibility to integrate with your existing systems, so there’s no need for additional costly development.

Top-of-the-line security

There’s no issue that’s more important for an access control system than security – it could be argued that’s the whole point of its existence.

The common sense approach is to use solutions that have been tried and tested by other companies – after all, it’s certainly better to learn from someone’s example than be a source of such a lesson for others. Keycloak is one of the best and therefore most tested and well-known options on the market.

Main business benefit: top-of-the-line security tested by many other organizations. In fact, most of your security needs can be covered just with Keycloak.

Do you need help with building a truly secure system with a Single Sing-On functionality? We’ve done it many times. Write us at hello@pretius.com – we’ll see what we can do for you!

A powerful feature set

Here are some of the features offered by Keycloak:

• Roles and subgroups – Keycloak allows you to assign users to individual roles and subgroups. You can also assign specific components – such as GUI elements or API functions – to them. This lets you limit the access of certain people and positions to parts of the application, to reflect company structure and the division of responsibilities.
• Central administration management – you can manage the administration centrally via Keycloak Admin Console and Account Management Console. The first one allows you to manage users’ permissions and sessions and limit access to features. The second one lets users modify their own accounts.
• Impersonation – it allows certain users – such as members of the customer support team – to “impersonate” someone in order to retrace their steps and help them with their problems.
• Advanced password policy – you can decide how complex the passwords in your organization are to be. Keycloak allows you to set minimum length, require people to use lowercase, uppercase, and special characters, or limit their ability to do so. It’s up to you and the security standards in your company.
• Plugin-based architecture – adding new functionalities to Keycloak is often as easy as installing a plugin. You don’t have to change elements of the entire system through development which, once again, means you save money.

Main business benefit: great adaptability and scalability. You get a modern, feature-rich access management system that scales along with your business as it grows. You can also further expand the solution’s functionality depending on your needs and it doesn’t require a big investment.

Ongoing development

Despite its age (the first release was in September 2014), Keycloak is still an evolving technology. New versions get published periodically – the last stable build showed up on GitHub on January 13, 2023, so a little bit over a month ago. What this means is that the tool still gets new features and enhancements.

There’s also a pretty big and active community around Keycloak. The developers who form it create great plugins, and are always ready to answer burning questions. If you need help with something, you can simply ask (on the aformentioned GitHub page, for example, but there are also many Keycloak-related threads on Stack Overflow).

Main business benefit: despite many years on the market, Keycloak is not legacy technology. You have access to updates and a thriving community.

Learn from our experience – a Pretius project with the Keycloak authentication system

We’ve used Keycloak during a project for a large European construction business, for which we’ve created several systems – self-care, administrative, and various microservices – used both by the company’s employees and partners from outside (contractors).

We’ve decided on Keycloak for a number of reasons:

• It uses OpenID Connect which is a well-known standard
• It’s open-source and free, unlike some of the competition (like Okta)
• It’s well-known and battle-tested, and there aren’t, in fact, that many solutions like that (we’ve considered Keycloak, Okta, and CAS, but we’ve had previous experience with that last solution and we decided we want something different)
• There are many examples of successful front-end and back-end integrations, Keycloak has a dedicated JavaScript library, andou can use universal libraries for Java
• It’s easy to customize thanks to Java-based extensions
• There are many ready-made extensions on the Internet
• It fulfilled many of our project requirements out of the box
• It has an administrative panel by default
• Keycloak has a well-documented administrative API which you can use, for example, to manage users from microservices

Our Keycloak implementation works like this: we’ve built a Keycloak’s Docker image which runs on Kubernetes. Keycloak’s public API is visible to “the world” (i.e., all users who know of the system), whereas the administrative API is hidden and available only in the interior network.

We’ve had to write several custom extensions, and we’ve implemented Configuration as Code (CaC). Thanks to this, the configuration changes are now implemented automatically – administrators don’t have to make them in every environment. We’ve used the keycloak-config-cli tool which is available on GitHub.

The end result? Users of all of the company’s systems and microservices can now use the Keycloak SSO system to log in.

Helpful tips from our Developers

Here are a couple of tips from our talented devs that should help you implement Keycloak in your project without too many problems:

1. Get to know the authorisation and authentication standards (OAuth, OpenID Connect)
2. Be skeptical about the idea of extending the solution. Adapt to existing functions first, and extend only if necessary. This component is responsible for authentication and authorization, so there is no room for error here
3. When implementing Identity Access Management on your own, you need to ensure HA, scaling, backups, etc.
4. Choose the “owner” of the solution. This is a very specific component in the ecosystem and, in our experience, it’s not always evident who’s responsible for it
5. Before you start with the implementation, you need to establish standards for the use of IAM in the organization, processes for assigning/reporting permissions, and policies regarding the quality of passwords (length, characters, expiration time, etc.)
6. In the case of an external identity provider (e.g., the Active Directory of the organization), you also need to prepare appropriate permissions for Keycloak, network copies to AD and define the scope of data downloaded from the source system. Integrating systems must confirm the ability to authenticate users on the front end (standard OIDC mode), and back-end systems must confirm the ability to authenticate in the “client credentials” mode. Each system accepting certified queries must be able to verify the correctness of these credentials (in the case of JSON Web Tokens – the validity and token signature, claims with permissions)

Summary: Consider Keycloak as your access management solution

Keycloak is a great IAM option. It helps you optimize costs and keep time to market in check, and it provides top-notch security – based on a tried-and-tested solution. The tool is also very adaptable (especially when you already have Java in your tech stack), scalable, and still updated with new features. You seriously can’t go wrong with it, and in many cases, it’s a much better choice than going for a costly custom software development.

If you need any help with Keycloak implementation or don’t know how to properly configure the single sign-on, reach out to us at hello@pretius.com, and make use of our experience!

Keycloak SSO – FAQ

Here are some frequently asked questions regarding Keycloak Single Sign-On.

What is Keycloak?

Keycloak is an open-source software solution designed to provide single sign-on access to applications and services. It allows users to authenticate once and access multiple applications without needing to re-enter their credentials.

What’s the newest version of Keycloak?

At the time of writing this article, the newest version of Keycloak is 20.0.3 released in January 2023.

How to use Keycloak?

Keycloak is easy to set up and use and can be deployed on-premise or in the cloud. You can integrate with existing applications and systems. Keycloak provides a secure way of authenticating users and allows them to access various resources and services with a single set of credentials.

How Keycloak works?

Keycloak stores and manages user information, permissions, and other configuration data, as well as information regarding the authentication methods used for each application. The solution supports a range of authentication protocols, including OpenID Connect, SAML, and OAuth2.

Once a user logs in to the Keycloak server, they are authenticated and their identity is verified. The user’s identity is then mapped to the applications they are allowed to access. Keycloak’s authorization system allows administrators to define what apps particular users can access and what they can do within those systems.