Keycloak IAM & SSO

-- Description

In this training we start with the deployment and configuration of a Keycloak server. We will learn the basics of the OAuth 2, OIDC and JWT specifications and get a common understanding of the terms used, while taking our first steps with tokens, claims and authentication. At the same time, we will also discuss the best practices and deprecations that have emerged over time in these specifications.

We then cover the configuration of realms and clients and the pitfalls to watch out for here. We can use theming to adapt the Keycloak UIs to the company or project design specifications. In addition to Keycloak’s own user management for users, groups and roles, we will learn what other options are available for using existing user sources (e.g. LDAP, etc.) and other external identity providers (e.g. Azure AD or social providers) in and with Keycloak.

The login processes (authentication flows) are a powerful tool in Keycloak. We will learn how to design and configure secure and complex authentication flows. Using Required Actions, we can ask users to perform certain actions or configure credentials.

We will also learn about the configurations required for reliable and secure operation with regard to (high availability) clusters, distributed cache, backup and recovery, as well as the most important settings for preventing or containing security threats.

[Niko gives you a summary in this video (https://www.youtube.com/watch?v=z87jE0MZvuA).

-- Agenda

Keycloak Server basics

• Basics Single Sign-On (SSO) and specifications OAuth 2, OpenID Connect (OIDC) and JSON Web Token (JWT)
• Keycloak Server configuration and deployment (incl. database)
• First steps with tokens and claims
• Principle and configuration of Keycloak realms
• Client configurations in Keycloak using the example of a distributed application
• Themeing the Keycloak forms/user interfaces

User administration and sources

• Users, groups and roles in Keycloak
• Clarification of the differences between User Federation / User Storage and External Identity Providers
• Configuration of an LDAP as user federation
• Using your own user data sources
• Configuration of an external identity provider using the example of Azure AD / Microsoft Entra ID

Authentication flows and required actions

• Design and configuration of authentication flows
• Extension of the authentication options using custom extensions
• Use of required actions
• Configuration of additional authentication policies

Clustering and distributed caching

• Configuration of the Keycloak server for cluster operation
• Discussion of the various cluster discovery protocols
• Customization / tuning of the (distributed) cache configuration

Further topics

• Versions & upgrades
• Backup & recovery
• Mitigating security threats

-- Your Benefits

-- Audience

The workshop is aimed at all people from development and operations who want to set up and integrate a single sign-on or identity management solution in their company or project with Keycloak.

Technical requirements

We use a local Docker-Compose environment as the “operating environment” to keep the operational overhead as low as possible. The required YAML definitions and configuration files, as well as Keycloak extensions for the training environment will be provided to you in advance as a download.

• Notebook/laptop
• Text editor (Notepad++, VS Code, etc.)
• Docker and Docker Compose V2 installed and running (if necessary, grant local admin rights on the computer)
• Internet access (check proxy/firewall/VPN configurations etc. if necessary)
• Browser
• HTTP client (e.g. Insomnia, Postman, etc.)

-- Training Objectives