Cloud Pak for Integration

Cloud Pak for Integration

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Enable 2 Factor Authentication in KeyCloak in 5 minutes

By RAJAN N C KRISHNAN posted Tue August 20, 2024 08:29 AM

  

Purpose of this Article

The purpose of this article is simply to enable 2FA in your KeyCloak. 

2FA is something that most customers require out of their IAM platform.  KeyCloak as an IAM platform is now installed as part of IBM Common Services. In this article, we will see how to enable and use 2FA for a CP4I application. We will use a mobile Authenticator (e.g. Google Authenticator) as the 2FA.

What is 2FA?

Two-factor authentication (2FA) is an identity verification method in which users must supply two pieces of evidence, such as a password and a one-time passcode, to prove their identity and gain access to an online account or other sensitive resources.

In this article, you'll see how easy it is to enable 2FA in Integration KeyCloak (the KeyCloak that is installed as part of CP4I). 

Assumptions 

  • you have KeyCloak installed and you have at least one CP4I application (e.g. EventStreams) deployed with KeyCloak based authentication.  
  • you are able to login to your application by authentication via KeyCloak. 

Enable 2FA

1. Open the KeyCloak Admin Console page. 

To get the KeyCloak URL: 

oc -n ibm-common-services get route --field-selector metadata.name=keycloak

2. Login to your KeyCloak Admin Console as an admin. 

3. Select the 'cloudpak' realm. 

4. Select the 'Authentication' link. 

5. That should display a list of flows. Click on 'Browser' flow. 

6. Look for the 'Browser - Conditional OTP' option which by default is set to 'Alternative'. Change this to 'Required'.

7. That's it. KeyCloak is now configured for 2FA. You can try logging in. 

Test Login from your Application

1. Open your Application's login page. 

2. Login with your normal login / password as configured in KeyCloak. 

3. If the login is successful, you will be asked to perform the 2nd step authentication. You should see this screen where you need to setup your Authenticator in your mobile. 

Scan the QR code from your authenticator. 

Enter the One Time Code generated and also enter a device name for the device from where you are using the authenticator. 

This information (i.e. the device details) will be stored in KeyCloak. The next time you login with your ID, you will NOT be asked to scan again. You will only need to enter the One Time code generated by the authenticator. 

4. You should now be logged in to your application. 

0 comments
10 views

Permalink

https://community.ibm.com/community/user/blogs/rajan-n-c-krishnan1/2024/08/20/enable-2-factor-authentication-in-keycloak-in-5-mi