[keycloak-user] REST(MicroServices) authentication through SAML 2.0

Pedro Igor Silva psilva at redhat.com
Fri Feb 26 08:45:03 EST 2016 

Hi Siva, 

    Some comments inline.


----- Original Message -----
> From: "Siva" <siva.b at knowledgeflux.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, February 25, 2016 10:01:15 PM
> Subject: [keycloak-user] REST(MicroServices) authentication through SAML 2.0
> 
> 
> 
> Hi Experts,
> 
> 
> 
> I’ve got scenario, seeking your valuable inputs to take this in right
> direction.
> 
> 
> 
> My application is complete server side solution which has 6 different modules
> and it expose only the REST(Microservices) end points(5 modules are hosted
> in tomcat 8 container and 1 is hosted in Apache Karaf [OSGI bundle] ) to the
> external world ; which will be accessed by different enterprise and they
> need to integrate their SAML 2.0 IDP for authentication.
> 
> 
> 
> These Microservices end points could be integrated with their existing
> portals or could be integrated with their existing mobile app applications,
> in some scenario’s it could be an exclusive client application built to
> consume our REST end points which could potentially be a browser based and
> Mobile app.
> 
> 
> 
> The challenge here is, for now we could use only SAML 2.0 based
> authentication since not all the organizations support OIDC/OAuth2.0 and as
> well our application could be flexible enough to be integrated with the
> existing client portals which uses SAML 2.0 authentication.
> 
> 
> 
> We are planning to use keycloak as IDP broker to secure our endpoints.
> 
> 
> 
> Questions :
> 
> 
> 
> 1) Can this be achieved in keycloak? If yes, could you please provide some
> inputs on architectural directions in keycloak; like should all the modules
> need to be configured under 1 relam and need to have a separate brokering
> relam?

I don't think that brokering is the best solution to address your requirements. If I understood your problem correctly, the clients trying to access your APIs belong to your partners and not you. Brokering is useful when you own the clients and want to create an indirection layer in order to integrate with external identity providers (pretty much the inverse of your use case). Or even during a migration plan when you already have some investments on SAML and want to gradually adopt OpenID Connect for new deployments.

In your case, what you need is something that can utilize an existing trust relationship in order to give to your clients the proper security token to access your APIs.

> 
> 2) Does keycloak support Apache karaf container? I couldn’t find any adapter
> for this under SAML adapter category.

I don't think so, but someone can give you more input on that.

> 
> 3) For REST style endpoints, how should the user credential/Token details
> need to shared? Any example links? kerberos is not a complete solution here,
> since it need to work on all the devices(Desktop,Laptop & handheld).

Well, there is no sharing of user credentials, but security tokens.

> 
> 4) For the REST based solution, can the application completely rely on
> keycloak for the session management, after the first time the user is
> authenticated?
> 
> 
> 
> Any inputs on this will be highly valued.
>

An interesting solution would be the Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants [1]. Very useful when a client wishes to utilize an existing trust relationship, expressed through the semantics of the SAML Assertion, without a direct user approval step at the authorization server.

But, IIRC, that spec is not yet supported in KC.

I've also seem some people using SAML assertions to access RESTful resources. Personally, I don't think it is a good approach, since there is no SAML binding (standard) targeting RESTful resources.

There is also the SAML ECP profile, which we added recently. However, it is targeted for specific use cases where you need to issue a SAML Assertion based on some user credentials (so you must own the users, not your case I think). It also provides some very basic support for the SP side of things, but I don't think it can help you either.

[1] https://tools.ietf.org/html/rfc7522

> 
> 
> Regards,
> 
> Siva.
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list