Keycloak Use Cases

Following we have gathered some popular requirements by our customers. To fulfill them we have configured or extended Keycloak. This goes well beyond standard protocols and Open ID connect flows.

Weak and strong authentication

Use Case

A bank provides several digital solutions to their customers. Depending on the URL, some of these services need to be protected by a second factor login, while others can be accessed by simply logging in using username and password. The timeout should vary per URL.

Solution

We implemented an extension for Keycloak to support both a weak (enter only username and password) as well as a strong (enter both username / password as well as the second factor) authentication mechanism.

Step-up and -down with ease

Use Case

For usability reasons, in addition to the previous requirement, user want to step-up and -down easily within different security levels of various services.

Solution

We implemented an extension for Keycloak to allow the so called „step-up“ mechanism. When a user first authenticates using only username / password and later, within the timeout period, accesses a service which requires a second factor, the user is only asked for the second factor.

When the strong timeout is reached, the user is automatically "stepped down“ to the weak level. No re-entry of data needed. Keycloak knows the users and follows them all the way up and down automatically. Timeout rules are enforced.

The “two factors” (2FA) that you want

Use Case

There are many second factor solutions available today. Additionally, new technologies are introduced frequently. A bank would like to introduce a new second factor technology without giving up on the existing technologies for a grace period of 1 year.

Two factor authentication 2FA technologies come and go. We want freedom of choice for us and our customers.

Solution

We implemented an extension for Keycloak to support multiple second factor authentication mechanisms.
We and Keycloak support several 2FA. New technologies are implemented fast and seamlessly.

Secure but also confidential

Use Case

A bank provides partner services over the Internet to their customers. These services must also provide full data protection. This service shall only receive the roles the user has for that particular service.

Solution

We extended Keycloak to send only a JWT token dedicated to the particular service. The token does not contain any foreign application roles. Additionally, the user name is anonymized to fully protect the end user. The JWT token is digitally signed using an asymmetric process.

Protect your cloud solution

Use Case

A software provider wants to protect their cloud-based core product by an IAM based solution and at the same time be able to fully integrate into the portal environment of their customers.

Solution

We suggested Keycloak and configured it to act as an OpenID Connect Identity Broker which trusts the customers’ Identity Provider based on SAML 2.0. Different Identity Providers can be configured to meet the needs of the customers of the core software solution.