Integration using Keycloak
Certificate Based Authentication Support
Thales’s SafeNet portfolio of certificate-based tokens offers strong multi-factor authentication in a traditional token form factor, enabling organizations to address their PKI security needs.
This section provides details on the usage of certificate based authentication (CBA) with SAS PCE in conjunction with SafeNet Keycloak Agent, where applications are configured to use SAS Keycloak instance as the primary IDP.
A typical CBA workflow includes:
- Client sends an authentication request over SSL/TLS channel.
- During the SSL/TLS handshake, the server and the client exchange their x.509 certificates.
- The Keycloak validates the client certificate.
- The user is redirected to SAS for authentication.
- After successful authentication, the user is redirected to the end application.
To configure CBA with SAS PCE, follow the steps mentioned below:
- Configure Prerequisites
- Add an Issuing CA to the Keycloak Trust Store
- Keycloak Tenant Configuration to enable CBA
- Extract User Identifiers from Client Certificate
- Test the CBA User Flow
Configure Prerequisites
-
Ensure the Keycloak server version is 19.0.3 or below along with the latest SafeNet Keycloak Agent installed on the machine.
-
To enable CBA, you need to add at least one certificate chain from an issuing certificate authority (CA) to your trust store in Keycloak. The trust store lists the certificate chains from the CAs that your organization trusts for the authentication of your users. Adding an issuing CA establishes a trust relationship that the system relies on to verify the authenticity of your users when they authenticate through SAS Keycloak instance.
-
TLS/SSL certificate and key file in PEM format.
Supported Certificate Types
The certificates must meet the following conditions:
- The certificates are configured for client authentication (ISO OID code 1.3.6.1.5.5.7.3.2).
- For Chrome, Internet Explorer, and Microsoft Edge browsers on Windows, certificate containers are managed by Microsoft Cryptographic Application Programming Interface (MS-CAPI) middleware.
- For Firefox browsers, certificate containers are managed by PKCS#11 middleware.
- For Safari browsers on macOS, certificates are configurable in the Keychain Access app.
There are usability limitations on Firefox and Safari browsers due to the browser’s implementation of TLS authentication and the associated certificate handling. For example, on these browsers, the user may not be prompted to insert their smart card.
Add an Issuing CA to the Keycloak Trust Store
To validate client certificates and enable the certificate based authentication methods, you need to create a trust store with all the certificates chains (intermediate and root) that the Keycloak should trust. Follow the below sub-sections to add and configure the TLS/SSL certificate and the issuing CA certificate to the Keycloak trust store.
Create a new Trust Store
You can use the Java keytool utility that is provided in the JDK installation directory to create a trust store file, as shown in the following steps:
-
Open command prompt, go to
<JDK Home Directory>/bin
directory. -
Execute the below command to generate a trust keystore file in .jks format.
keytool -import -alias <Alias name> -file <CA Cert file>.crt-keystore <Trust Store file>.jks
Where,
Alias name is a unique name which can be set as per your preference.
CA Cert file is the path of issuing CA certificate file in .crt format.
Trust Store file is the path where you wish to create the trust store file in .jks format. -
Set the password as per your preference.
-
Press Y to trust the certificate.
This process creates the trust store file in the current directory.
Ensure the trust store file generated in the above step is located in Keycloak conf directory:
/conf/ .jks
Configure TLS/SSL certificate and Trust Store in Keycloak
You need to configure the TLS/SSL certificate and trust store containing the issuing CA in Keycloak.
Follow the below steps to configure the trust store:
-
Go to the conf folder located in the Keycloak directory.
For example:
<Path of Keycloak Directory>/conf
-
Open keycloak.conf file in a text editor and add below parameters:
https-certificate-file: The file path to TLS/SSL certificate in PEM format.
https-certificate-key-file: The file path to TLS/SSL certificate private key in PEM format.
https-client-auth: Enter the value as request.
https-trust-store-file: The path of the trust store file which holds the certificate information of the issuing CA certificates to trust.
https-trust-store-password: The password of the trust store file.
For more information, refer to https://www.keycloak.org/server/enabletls.
-
Restart the Keycloak server.
Keycloak Tenant Configuration to enable CBA
To enable CBA, you have to add a new authenticator in your Keycloak realm.
Follow the steps mentioned below to add a new authenticator for CBA:
-
Login to Keycloak Admin console.
Ensure the admin console is based on old theme.
-
In the left pane, select your desired realm.
-
In the left pane, under Configure, click on Authentication. Under Flows tab, select the SafeNet OTP Flow. Now click on Copy button to copy the flow.
-
In the Copy Authentication Flow window, in the New Name field, enter the name of the flow. For example: SafeNet OTP flow with CBA.
-
Under Flows, ensure SafeNet OTP Flow with CBA is selected, click on Add Execution.
-
In the Create Authenticator Execution window, in the Provider field, select X509/Validate Username Form and click Save.
-
Mark X509/Validate Username Form as Alternative and move it above SafeNet OTP Flow Forms by clicking on () upward arrow icon, as shown in the picture below.
Ensure SafeNet OTP Flow Forms is also marked as Alternative. By configuring this setting, if the end user is accessing the application from a device which doesn’t have the company provided smart card (client certificate) then the user will be asked for OTP based authentication instead of CBA based authentication.
-
For X509/Validate Username Form, click Actions then click Config.
-
In the Create authenticator config window, perform the following below steps:
- In the Alias field, enter the name of the configuration. For example: pki-config.
-
In the User Identity Source field, select the unique identity source which will extract the user identity from X509 Certificate. For example: Subject’s email.
This mapping can vary between customer depending on their CA - user certificate profiles.
-
In the User mapping method field, select Username or Email.
- Ensure Check certificate validity option is ON.
-
Click Save.
-
In the left-pane, click Authentication, then click Bindings tab.
-
In the Browser Flow field, select the instance that you have created above in step 4. For example: SafeNet OTP flow with CBA.
-
Click Save.
Extract User Identifiers from Client Certificate
You need to create the client certificate using the issuing CA certificate that you have configured as a trust store in Add an issuing CA to the Keycloak trust store section.
While creating the client certificate, ensure that the user has the same username and email address in Keycloak and SAS PCE as provided for common name and email address in the certificate.
For example, for the user with the username as test.user and email address as test.user@example.com, the user details in Client Certificate, Keycloak Agent and SAS PCE will appear as shown in the pictures below.
Client Certificate
Keycloak User
SAS PCE User
Test the CBA User Flow
To test the CBA authentication, you need to install the client certificate where the authentication needs to happen. You need to install the .pfx client certificate in the Certificate Manager under Personal > Certificate.
Ensure the browser is able to fetch the above certificate details.
Follow the steps mentioned below to test the authentication:
-
Access the application URL that you have configured as client in your Keycloak Realm. For example:
https://<Your Domain Name>:8443/auth/realms/<Realm Name>/account
-
Select the client certificate and click OK.
-
Click on Sign In. You will be redirected to SafeNet Authentication Service page that will display the user attributes fetched from the client certificate. Then, click on Continue button if the information is valid.
However, you can choose the authentication method based on your requirement. -
After successful authentication, you willContinue be redirected to the application.