KeyCloak Identity and Access Management

KeyCloak is an open source Identity and Access Management. It can be used to create SSO, Social media Logins and User Federation.

KeyCloak is an open source Identity and Access Management solution. It supports use authentication and authorization with little or no code. Below are some of the features provided:

  • Single Sign On (SSO).
  • Kerberos bridge.
  • Identity brokering and Social logins.
  • User Federation.
  • Adapters for different platforms and programing languages.
  • Consoles like Admin console and Account Management Console
  • Supports standard protocols like OpenId connect, OAuth 2.0 and SAML.
  • Authorization services.

KeyCloak on Docker

To install KeyCloak docker image, make sure to have docker installed on your machine.

To download and start container:

docker run -p 28080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin

Above command downloads 12.0.1 version of docker and start KeyCloak and expose it at port 28080. It will create a default user “admin” and set “admin” password for that user.

Login to admin console at http://localhost:28080/auth/. Click on Administrator Console and sign in with user “admin”.

Create a Realm

By default a Realm with the name Master is created. Do not use Master realm. We create a new Realm for our learning. Mouse hover on the Master and click on Add realm button to create a new Realm.

Mouse hover on Master Realm shows option to add new realm.

Enter new realm details and click on create.

Next we will configure SMTP for email service. Here I will be using yahoo account. Different email providers have slightly different configuration. We might have to disable two factor authentication or allow Less secure app to sign in. For yahoo we need to create an app and set up password for the app. We will use this new app and generated password in our user configuration.

Configure SMTP server for KeyCloak

  • First we ensure default user is set up with email address.
    • Go to Master realm.
    • Click on Users.
    • Click on default user in our case its “admin”.
    • Add email address to the user details. (This is the email provider that we will use to configure our SMTP configuration)
  • Click on new Realm (in our case AWSRealm).
  • Go to Realm Settings.
  • Click on Email address tab and fill in SMTP server details.
  • Click on Test Connection. You should see test message in your inbox. In case you get an error look into logs for error. In most of the cases error is due to email provider security configuration for example check your Gmail or Yahoo account settings.

Create Users

Ensure that email is set up before creating new user. We will provide email address for the new user and we will validate it as well.

  • Select Realm (in this case AWSRealm).
  • Click Add User.
  • Fill in user details and click on create. Select “Update Password” and “Verify Email” options from the Required User Action.
  • Go to Credential tab and enter credential. Set some temporary password for the user.

Log in with new user.

  • Open browser and go to http://localhost:28080/auth/realms/AWSRealm/account/
  • Enter user name and password. You will see message saying password needs to be changed. Update the password.
  • After updating password you will get message to verify email address. Check the email address you provided while creating user.
  • Click on the link in the email. This will verify your email address and sign in.