Introducing web single sign-on (Web SSO) and identity federation

Red Hat recently released a new unified identity server based on Keycloak technology. Now you can use a ready-made and fully supported identity provider based on SAML 2.0 or OpenID Connect, which links the corporate directory of users or a third-party identity provider to your applications using standard tokens. Keycloak is a new generation system that replaces the PicketLink technology of the JBoss middleware. In the future, Keycloak will provide single sign-on to Red Hat Cloud Suite and management systems such as the Red Hat Satellite.

Feature Overview

In essence, Keycloak is a SAML 2.0 or OpenID Connect identity provider; its capabilities and configuration are described in detail in the user portal.

Customer support
Keycloak includes a central identity server to which clients with the appropriate adapter or module are connected using the identity management configuration.
')
Keycloak supports many different clients, including:

● Red Hat JBoss Enterprise Application Platform versions 6.4 and 7.0;
● Red Hat JBoss Fuse 6.2 (as an introductory technical version);
● Red Hat Enterprise Linux 7.2 (using the mod_auth_mellon module for SAML 2.0).

Identity Integration
Keycloak can be used to integrate users using LDAP-based directory services, including:

● Microsoft Active Directory;
● RHEL Identity Management.

Keybloak also supports SPNEGO-based Kerberos when using Microsoft Active Directory and RHEL Identity Management.

Work with authorization intermediaries

Keycloak integrates with sign-in providers via social networks, including:

● Facebook;
● Google;
● Twitter.

Administration Interfaces
You can manage the Keycloak server, authentication areas and clients using the web interface or the REST API set. This allows you to solve the whole complex of tasks in the design of the identification environment, including assigning roles to users, register clients, integrate users and ensure authorization through intermediaries.

Subscription and support cycle

Currently, a single user identification is available as part of the JBoss Core Services Collection package with a 3-year support cycle. We plan to offer Keycloak-based unified user identification system in the form of the Red Hat OpenShift Container Platform container platform service and the Red Hat Mobile Application Platform application platform, as well as an integrated identity provider for the Red Hat OpenStack Platform platform.

In the long term, Keycloak will become a central component in identifying users and customers, as well as integrating identity providers. It will cover existing infrastructure, including internal directories of users or external cloud identity providers (for example, social networks) and provide single sign-on to Red Hat products and identity integration.