IDENTITY MANAGEMENT IN THE 21ST CENTURY

Arjan Lamers

Software architect Conclusion

ABOUT CONCLUSION

• 2000 employees

• 200 mln turnover

• Privately owned

• 2 divisions: IT services and Organisation services

• RedHat: Infrastructure services, Data & Integration services, Application services

1 2 3

Social Networking Cloud Computing Mobile Communications

GARTNER’S THE NEXUS OF FORCES

Integrated Single Sign On / Identity

management system by Red Hat

WHAT IS IDENTITY MANAGEMENT?

• Identification

• Who are you?

• Authentication

• Can you proof that?

• Authorization

• What are you allowed to do?

• Integrated SSO and

IDM for browser apps

and RESTful web

services.

• Built on top of the

OAuth 2.0, Open ID

Connect, JSON Web

Token (JWT) and

SAML 2.0

specifications.

WHY KEYCLOAK?

• Why not DIY

• Security is hard

• Modern use-cases are complex

WHY NOT DIY

• Learning a new product takes time

• It’s faster typing such a trivial thing myself

WHY NOT DIY

• Just a user name + password is not much work

• But how about:

• Password reset / forgot password

• Create account

• Update account

• Assigning roles

• Change password

WHY NOT DIY

• Building all those features is just plain boring

DIY LOGIN

• Creating a “user” table with passwords is easy

DIY LOGIN

• Creating a “user” table with passwords is easy

• What about hashing?

• Which hashing algorithm?

• Salting?

• Password policies?

DIY LOGIN

• Looked ok: 36 million passwords protected by bcrypt

• Only 0.0668% (+- 4000 very weak passwords) recovered after 5 days of non-stop computing

• They did their research

• Looked ok: 36 million passwords protected by bcrypt

• Only 0.0668% (+- 4000 very weak passwords) recovered after 5 days of non-stop computing

• Until a bug was found in the Ashley Madison code…

• 11 million passwords recovered in the next 5 days

• Even if you did your research, it doesn’t guarantee a correct implementation

USER FEDERATION• Why not use accounts people already have?

• Social media

• Or corporate databases

MODERN ARCHITECTURE

MODERN ARCHITECTURE

MODERN ARCHITECTURE

MODERN USE CASES

• And what about SaaS providers?

MODERN USE CASES

I want to have a single store of users I want a single login We don’t want to store users

MODERN IDENTITY MANAGEMENT

• Different protocols, conventions, naming

• OAuth2 – Yahoo/Facebook/Google

• I want to share my album with that application

• SAML – B2B/SaaS

• I want to give that user access to that service

• OpenID Connect, SAML 2.0

• Social Broker, Identity Broker.

• LDAP/Active Directory integration

• User Registration, Recaptcha, TOTP

• Fully Customizable

• Admin Console & REST API

• Deployable as a WAR, appliance, or an

Openshift cloud service (SaaS).

• Supports multiple client platforms

• User profile CRUD, Revocation

policies, Password policies,

Impersonation.

CASE STUDY

• At an internet core services company we use Keycloak for:

• Protecting an existing JEE application

• Delegating User Federation to LDAP

• Role based authentication

.NL

CASE STUDY

• At an agriculture data company, we are building using Keycloak:

• Protecting microservices

• Complex authorisation rules

• With different security levels

• Using governmental provided identities

CLOUD DONE DIFFERENTLY

Visit us at our stand at Red Hat Forum Benelux 2015