How can you secure your applications with Keycloak

19 Nov, 2020
Xebia Background Header Wave

Information Technology firms use many applications and service providers while developing software products or while providing various software services. An Identity and access management (IAM) Framework is essential in every firm to ensure only authorized users, programs, and devices access critical applications. By using dependable and easy IAM frameworks like Keycloak companies can secure their applications and manage users across the organization. Keycloak can be customized to your organizations needs and provides benefits like SingleSignOn, User Federation, and additional third-party security.

Security with keycloak

Keycloak installs a server to handle app requests at your organization network. All applications used in your organization point to Keycloak server. When a user program calls any of these applications or Service Providers (SP), it directs the requests to Keycloak sign-in page. Once authenticated, the user can access other allowed web applications and is not prompted to enter login credentials again. User information and meta data is stored; based on this information a security token is generated and is sent across to applications for subsequent authentication. When a client calls a restful web service a similar security token is sent to the rest-based service for authentication.

When the user logs out of Keycloak the user is logged out of all the applications signed in.

Customizing Keycloak to your Organization

Keycloak facilitates Role based access control (RBAC) and extends the setup that exists in your organization. Your admin maps users or groups of users to various roles like Admin, manager, employee using a comfortable user interface customized according your organizations needs. Too many or too specific roles make the application hard to manage. A user may have zero or more than one role. Roles can also be composite. Some roles inherit other sub-roles. So, a user with a role gets the rights of sub-roles also. A set of users, their credentials, roles and groups are managed as a realm. Realms are isolated and can only authenticate the users that they manage.

Keycloak need to be installed in various application environments as a plug-in.  Applications are isolated from password the user enters. They grant access as per the metadata the Keycloak sever sends in an encrypted token. This metadata the Keycloak server sends is called assertion and contains information like email address, group the user belongs to, and the role assigned by admin.

You can also opt for a two-step authentication for better protection. Admins can choose the option to prompt the user to enter OTP received on their mobile before using the application. Keycloak uses FreeOTP and Google Authenticator applications to generate and manage OTPs.

Advantages of Using Keycloak

Security is hard to get right and easy to leave gaps. It is not easy for administrators and application developers to build secure systems. Developers need not be burdened with additional tasks of making the applications and service providers secure. They are safe in the hands of Security Experts like Keycloak.

It is easier and safer to protect a single server dedicated to Identity Management and Security than every server that runs various service providers.

Keycloak also offers various other advantages as given below


After the pandemic, imagine when you enter your office a security personal asks you for your Employee ID and Signature before you enter the gate. As you use the lift, you are asked again for the credentials, again when you enter your cabin, again when you use the coffee room, again at your friend’s cubicle, and again at the conference room etc. It’s even more frustrating for a genuine employee like you, to prove you are who you say you are. So, you’re given an access card with your information stored in it and the admin maps your details and allows you to access zones you need to, to work smoothly at your office.

KeyCloak works with your admin to provide you the same convenience while using web applications. It encapsulates your identity in a security token and communicates with various service providers, so you don’t have to enter your credentials again and again. Just like you would want a reliable security personnel you need security experts like KeyCloak to handle your SSO needs.

Security above LDAP and Active Directory

Though LDAP and Active Directory are widely used, they are not meant for user authentications. They are meant to facilitate convenient and secure directory access. You need security systems built on tough protocols like OpenID Connect or SAML 2.0 to secure your applications. 

User Federation

KeyCloak  facilitates implementing SSO using User Federation across organizations and security domains and business units within an organization. Such trust relationships are enforced by third party Identity Providers like KeyCloak.

For more information please visit LDAP Weaknesses as a Central Authentication System

Divya Prathima
The author was a java Developer at coMakeIT before turning into a stay-at-home-mom. She slowed down to make art, tell stories, read books on fiction, philosophy, science, art-history, write about science, parenting, and observe technology trends. She loves to write and aspires to write simple and understandable articles someday like Yuval Noah Harari. We are very happy to have her back at coMakeIT and contribute to our relevant and thought provoking content.

Get in touch with us to learn more about the subject and related solutions

Explore related posts