Monday, August 10, 2015

Configuring and using Keycloak

In this article we will see how to use Keycloak, one of the popular SSO software. Here is the excerpt from the official website.

Integrated SSO and IDM for browser apps and RESTful web services.  Built on top of the OAuth 2.0, Open ID Connect, JSON Web Token (JWT) and SAML 2.0 specifications.  Keycloak has tight integration with a variety of platforms and has a HTTP security proxy service where we don't have tight integration.  Options are to deploy it with an existing app server, as a black-box appliance, or as an Openshift cloud service and/or cartridge.

Installation

Download the software from here. Let's use keycloak-1.4.0.Final  for the purpose of demonstration in this article and we will try to set it as a standalone server.

To install first download either the zip or tar.gz and extract. Then start by running either:
keycloak-1.4.0.Final/bin/standalone.sh
or:
keycloak-1.4.0.Final/bin/standalone.bat
That's it. you are done.


Configuring SSL

If you are planning to use keycloak in production environment, then you will also need to configure SSL.

Get and install a self singled certificate or get one from CA such as GoDaddy.com (instruction can be found here) or Cacert.org, the open source  certificate provider.

Now that you have a Java keystore with the appropriate certificates, you need to configure your Wildfly installation to use it. First step is to move the keystore file to a directory you can reference in configuration. I like to put it in standalone/configuration. Then you need to edit standalone/configuration/standalone.xmlto enable SSL/HTTPS.

To the security-realms element add:
<security-realm name="UndertowRealm">
    <server-identities>
        <ssl>
            <keystore path="godaddy.keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="secret" />
        </ssl>
    </server-identities>
</security-realm>


Find the element <server name="default-server"> (it's a child element of <subsystem xmlns="urn:jboss:domain:undertow:1.0">and add:
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm"/>

Start/restart the server. You are done!