Inventage AG
Technoparkstrasse 1
8005Zürich
+41 43 343 20 20

Keycloak Use Cases

Following we have gathered some popular requirements by our customers. To fulfill them we have configured or extended Keycloak. This goes well beyond standard protocols and Open ID connect flows.

Weak and strong authentication #

Use Case #

A bank provides several digital solutions to their customers. Depending on the URL, some of these services need to be protected by a second factor login, while others can be accessed by simply logging in using username and password. The timeout should vary per URL.

Solution #

We implemented an extension for Keycloak to support both a weak (enter only username and password) as well as a strong (enter both username / password as well as the second factor) authentication mechanism.

Step-up and -down with ease #

Use Case #

For usability reasons, in addition to the previous requirement, user want to step-up and -down easily within different security levels of various services.

Solution #

We implemented an extension for Keycloak to allow the so called „step-up“ mechanism. When a user first authenticates using only username / password and later, within the timeout period, accesses a service which requires a second factor, the user is only asked for the second factor.

When the strong timeout is reached, the user is automatically "stepped down“ to the weak level. No re-entry of data needed. Keycloak knows the users and follows them all the way up and down automatically. Timeout rules are enforced.

The “two factors” (2FA) that you want #

Use Case #

There are many second factor solutions available today. Additionally, new technologies are introduced frequently. A bank would like to introduce a new second factor technology without giving up on the existing technologies for a grace period of 1 year.

Two factor authentication 2FA technologies come and go. We want freedom of choice for us and our customers.

Solution #

We implemented an extension for Keycloak to support multiple second factor authentication mechanisms.
We and Keycloak support several 2FA. New technologies are implemented fast and seamlessly.

Secure but also confidential #

Use Case #

A bank provides partner services over the Internet to their customers. These services must also provide full data protection. This service shall only receive the roles the user has for that particular service.

Solution #

We extended Keycloak to send only a JWT token dedicated to the particular service. The token does not contain any foreign application roles. Additionally, the user name is anonymized to fully protect the end user. The JWT token is digitally signed using an asymmetric process.

Protect your cloud solution #

Use Case #

A software provider wants to protect their cloud-based core product by an IAM based solution and at the same time be able to fully integrate into the portal environment of their customers.

Solution #

We suggested Keycloak and configured it to act as an OpenID Connect Identity Broker which trusts the customers’ Identity Provider based on SAML 2.0. Different Identity Providers can be configured to meet the needs of the customers of the core software solution.