3:27 p.m.
Hey,
So, a very high level question, and any insight you guys may have would
help.
We're looking to potentially deploy keycloak as a part of a public cloud
application to support authentication to our applications based on security
settings our tenants may use, which may include talking back to their
internal LDAPs, our LDAP, our database, or their hosted SAML solutions.
We're not looking to expose this UI to them, so they would never need to
login other than visiting the login page to access our applications. Are
there any mitigation strategies for reducing the attack surface of
keycloak? I saw that you had brute force detection available, in addition
to using public/private key pairs to do API authentication. I'm wondering
if there's any more security levels that could be leveraged? Does reducing
the amount of API endpoints accessible publically make sense in this
scenario? If so, what endpoints would need to be there to support
authentication?
John
3:48 p.m.
Hello John,
have a look at: Guidelines for protecting Keycloak Endpoints
http://lists.jboss.org/pipermail/keycloak-user/2016-March/005525.html
Cheers,
Thomas
2016-06-03 15:27 GMT+02:00 John D. Ament <john.d.ament(a)gmail.com>:
Hey,
So, a very high level question, and any insight you guys may have would
help.
We're looking to potentially deploy keycloak as a part of a public cloud
application to support authentication to our applications based on security
settings our tenants may use, which may include talking back to their
internal LDAPs, our LDAP, our database, or their hosted SAML solutions.
We're not looking to expose this UI to them, so they would never need to
login other than visiting the login page to access our applications. Are
there any mitigation strategies for reducing the attack surface of
keycloak? I saw that you had brute force detection available, in addition
to using public/private key pairs to do API authentication. I'm wondering
if there's any more security levels that could be leveraged? Does reducing
the amount of API endpoints accessible publically make sense in this
scenario? If so, what endpoints would need to be there to support
authentication?
John
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2877
days inactive
2877
days old
1 comments
2 participants
participants (2)
-
John D. Ament -
Thomas Darimont