26-07-2020

Keycloak integrated into Otomi Container Platform

You can now use your favorite identity provider to provide SSO and Role-Based Access to Otomi Console, Otomi Apps, and public exposed services.

About Keycloak

Keycloak is an open-source Identity and Access Management solution aimed at modern applications and services. It makes it easy to secure applications and services with little to no code. Keycloak adds authentication to applications and secure services. No need to deal with storing users or authenticating users. It’s all available out of the box. You’ll even get advanced features such as User Federation, Identity Brokering, and Social Login.

Stack integration

With the integration of Keycloak, it is now possible to add your company directory (like Azure AD) or a social Login (like GitHub) as an external IDP. When configured, Keycloak will act as an oauth2 broker for all services, including Otomi Apps (see figure 1). When a user is authenticated, Istio policies (using JWT-tokens) will determine if a user has access to a service.

keycloak
Figure 1: All integrated Otomi Apps
Figure 2: Select your favorite IDP in Keycloak

Single-Sign-On for applications

Users of applications exposed using the Otomi Container Platform can now authenticate with Keycloak rather than individual applications. This means that your applications don’t have to deal with login forms, authenticating users, and storing users. Once logged-in to Keycloak, users don’t have to login again to access a different application. This also applies to logout. Keycloak provides single-sign out, which means users only have to logout once to be logged out of all applications that use Keycloak.

Teams

Otomi “teams” are tenants on the platform that support your DevOps teams in deploying and exposing their software to the public or behind an SSO. A team can operate on multiple Kubernetes clusters, even when running on different Clouds. A team will get access to the Otomi Console, providing access to all the tools needed for complete visibility. Team members are provided access to a team with Roles configured in Keycloak. Using Keycloak, the Otomi Container Platform now offers full RBAC.

Services

A service in the Otomi Container Platform is a feature for easy deployment of (serverless) container workloads and exposing these services with a public URL. We already provided the option to automatically add SSO to a service (using only a single configurable IDP). With Keycloak now fully integrated, we will soon add the feature to select an IDP and add RBAC to publicly exposed services. This will bring all the Keycloak features to be used for all applications deployed and exposed using the Otomi Container Platform.

Automation

Having a single IDP for all services still doesn’t solve all user management issues. Harbor has its own RBAC based on Projects. Using the Harbor API we automated the RBAC configuration for Harbor. When a team is created, a new project in Harbor will be created and the group configured for the team will automatically get access to the project.

Having an OIDC compliant IDP allows us to seamlessly connect all Otomi applications behind Keycloak SSO, mapping teams and their users transparently to the roles in the application. Most applications are becoming OIDC compliant, but even those that are not we still protect with SSO.

Would you like to see a free online demo? Contact us!

Let's get in touch!

Contact us