Keycloak: Your self managed Okta

In the realm of modern application development, identity and access management (IAM) has emerged as a critical cornerstone. It's the invisible guardian that ensures the right people have access to the right resources at the right time. While commercial solutions like Okta offer robust IAM capabilities, the allure of self-managed solutions like Keycloak is undeniable.

Journey Begins

Recently I’m working on a project where the client wanted to streamline authentication processes and fortify security posture. The goal was to establish a unified, flexible, and secure IAM solution that could handle both SAML and OIDC-based authentication for their diverse range of applications. Keycloak, with its open-source nature, extensive feature set, and active community, seemed like the ideal candidate to fulfill their requirements.

The Challenge: Integrating AWS IAM

The organization heavily relies on AWS to power their infrastructure. They leverage AWS IAM to manage user identities, roles, and permissions, ensuring that the right individuals have access to the right resources. The challenge lay in seamlessly integrating Keycloak with AWS IAM, enabling Keycloak to leverage AWS for user authentication and authorization, while maintaining a streamlined and efficient user experience.

Initially, the aimed was to directly integrate Keycloak with AWS IAM using a SAML-based approach. However, on encountering persistent "cookie_not_found" errors, despite following numerous articles, GitHub issues, and StackOverflow solutions. This roadblock forced us to explore alternative approaches to achieve our desired integration.

Architecting the Solution

To overcome the limitations of direct SAML integration, we devised a novel approach that involved leveraging Amazon Cognito as an OIDC identity provider. This architectural shift allowed us to indirectly integrate Keycloak with AWS IAM, providing a reliable and secure authentication solution.

The architecture involved the following key components:

AWS IAM Identity Center:

• Creating the SAML Application: We created a custom SAML application within the AWS IAM Identity Center. This application served as the bridge between AWS IAM and Cognito, enabling the exchange of authentication and authorization information.

• Configuring the SAML Application: We meticulously set up the SAML application's attribute mappings using the provided entity ID, ACS URL, and other relevant parameters. These settings ensured that Cognito could communicate effectively with AWS IAM.

• Generating Metadata: The generated metadata XML file, which contained crucial information about the SAML application was shared with Cognito to establish the trust relationship between the two systems.

Amazon Cognito:

• Configuring the SAML Identity Provider: We configured the Cognito user pool to use the SAML application as an identity provider. This enabled Cognito to leverage the authentication and authorization capabilities of AWS IAM.

• Adding User Attributes: We carefully added user attributes to the Cognito user pool to align with the specific requirements of our applications. These attributes were used to populate user profiles in Keycloak and to facilitate authorization decisions.

• Creating a Cognito App Client for Keycloak: We created an app client within the Cognito user pool, designed specifically to interact with Keycloak. This app client was registered in Keycloak as an identity provider, enabling it to facilitate user authentication and authorization between Cognito and Keycloak seamlessly.

Keycloak:

• Adding the OIDC Identity Provider: We added a new OIDC identity provider to Keycloak, specifically for the Cognito user pool. This provider allowed Keycloak to authenticate users against the Cognito user pool.

• Configuring the OIDC Identity Provider: We meticulously configured the OIDC identity provider's settings, including the issuer URL, client ID, and client secret. These settings ensured that Keycloak could communicate securely with Cognito.

• Mapping User Attributes: We established a comprehensive mapping between the attributes in the IAM Identity Center and the attributes in Keycloak. This mapping ensured that user information was accurately transferred between the two systems, allowing for seamless authentication and authorization.

• Configuring Client Applications: We configured our client applications (e.g., web applications, mobile apps, microservices) to use Keycloak for authentication. This involved providing Keycloak with the necessary information about each client application, such as its client ID, client secret, and redirect URIs.

The Payoff: A Resilient and Secure IAM Solution

By adopting this innovative approach, we successfully overcame the challenges associated with direct SAML integration and achieved a robust and secure IAM solution. This solution offers numerous benefits:

• Centralized User Management: Leveraged AWS IAM as a single source of truth for user identities and permissions, streamlining user management and reducing administrative overhead.

• Simplified Authentication: Offloaded the complexity of authentication to Keycloak, providing a seamless and secure user experience for our applications.

• Enhanced Security: Benefitted from Keycloak's robust security features, including strong password policies, multi-factor authentication, and role-based access control, safeguarding our applications and data.

• Scalability: Keycloak's scalability allowed us to accommodate a growing user base and a diverse range of applications, ensuring that our IAM solution could keep pace with our evolving needs.

Conclusion

By embracing Keycloak and creatively leveraging Cognito as an OIDC identity provider, we helped our client with a powerful, flexible, and secure IAM solution. This self-managed approach provided them with greater control over our identity and access management, reducing reliance on third-party vendors and enabling them to tailor the solution to their specific requirements. As they continue to evolve, Keycloak can remain a cornerstone of their infrastructure, ensuring the security and integrity of their applications and data.