NOOB Questions about Keycloak

[Vivek Gupta]

Hi All,

       I am very new to Keycloak and exploring it to replace Forgerock OpenAM and our homegrown IAM (build on top of OpenAM). 

      I am looking for a following:

1. Features of Keycloak

2. Support and patch model. For example, are there any LTS releases? OR Why RHSSO LTS is so much behind than current Keycloak release.

3. Can Keyclock run on Tomcat? (anything other than Windfly). Even though Keycloak's license is APL2.0, Windfly's license is LGPL2.1

4. Other than RedHat, is there any commercial support available for KeyCloak? (just to keep IT and management happy :-))

Thanks in advance for your responses,

Vivek

[Nate Muller]

Hi Vivek,

I'll take a swing at your questions!

1. Keycloak is a pretty full-featured IAM system.  Features include:
   1. Extremely easy to install
      
   2. Support for OIDC and SAML authentication methods
   3. Sync (read/write) with most any LDAP/Active Directory based user store.  You can map LDAP user properties to KC user attributes, as well as sync your groups in LDAP over to keycloak and vice-versa.
      
   4. Integration with 3rd party Identity providers (google, facebook, etc. You can find full list once you install keycloak and navigate to the "Identity Providers" configuration section)
   5. Support for fine-grained authorization defined inside keycloak or using your own rules via the Authorization API.
   6. Brute force detection/prevention
   7. A lot more!
2. Support and patches, as with many open-source products, are your responsibility as the implementer.  Red Hat does offer paid support.  I have not looked into how to get or how much it costs, however.  As for the versioning difference between KC and RHSSO, I think RHSSO was released later.  So its just semantics.
3. The keycloak server itself cannot run out of the box on a tomcat server.  It is integrated into wildfly pretty heavily.  You can secure apps running on tomcat using keycloak using the keycloak tomcat adapter (https://www.keycloak.org/docs/latest/securing_apps/index.html#what-are-client-adapters), however.
4. No idea.  There probably is but I can't tell you anything more than a google search could :)

Thanks for your questions!

[Vivek Gupta]

Thanks Nate,

That was helpful. It was a good swing (home run!!!!!) :-)

 

Few more questions (as I am reading through the documentation):

1. We will be deploying Keycloak in AWS EKS (Kubernetes). So we will be using KUBE_PING as the discovery protocol in JGROUPS. Are there any pitfalls that we need to be aware off?

2. How does the upgrade works in Kubernetes deployments? 

3. Can we do a rolling upgrades (say from 11 to 12 or 12 to 13(future release)) where n and n-1 KeyCloaks are pointing to same shared DB?

4. In Kubernetes world, can we horizontally scale up and down Keycloak pods?

Thanks in advance,

Vivek

[Nate Muller]

Vivek,

Thanks for your kind words.  I’m afraid I know absolutely nothing about kubernetes so I can’t help with most of your questions!  But here are the answers I CAN give:

1. We stood up a keycloak cluster fairly easily (though not on kubernetes); the documentation  was straightforward and didn’t miss anything huge.  Making sure your network allows multicast https://www.keycloak.org/docs/latest/server_installation/index.html#multicast-network-setup (some routers/switches block it by default, but it’s easy to test if it’s enabled with a quick Google for your network config) is the only “gotcha” I can think of. 

3. If memory serves that is easily doable.

Regards,

Nate Muller

On May 6, 2021, at 19:33, Vivek Gupta <vivekgu...@gmail.com> wrote:

Thanks Nate,

--
You received this message because you are subscribed to a topic in the Google Groups "Keycloak User" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/keycloak-user/ZYuHcSgNBHo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/92814bb1-77eb-4c77-a91f-7eb838b85baan%40googlegroups.com.

[Vivek Gupta]

Thanks Nate.. 

I will start a separate thread for Kubernetes questions and see if someone has some experience with it. In parallel, we will start our experiment/PoC also. I will share the results of the PoC with this group.

Vivek