IBM Security Verify

 View Only

Extending Keycloak SSO Capabilities with IBM Security Verify

By JASON CHOI posted Wed June 10, 2020 10:28 AM


OpenShift is becoming the platform of choice for hybrid cloud as clients look to define their multi cloud strategy.

Clients deployed on OpenShift often use Red Hat Single Sing-On (Red Hat SSO) to fulfill their identity and access management (IAM) needs during an application development lifecycle or for protecting OpenShift resources such as clusters, logs, etc. Red Hat SSO’s upstream project is Keycloak, an open source IAM solution. In the article below, any references to Keycloak also apply to Red Hat SSO.

For Keycloak users, providing robust security and a seamless user experience need to be equally considered. Neither of these requirements should be compromised, especially as applications are being built for a multi cloud world.

With Keycloak + IBM Security Verify* Authenticator Extensions, administrators and developers can secure their applications with Keycloak and add another layer of advanced authentication and ID-less/passwordless experiences. IBM Security Verify extends the ability for administrators and developers to create authentication flows that add various authentication methods such as QRCode, Mobile Push, FIDO, SMS, and Email that can be used as first or second factor authentication. Furthermore, QRCode and FIDO can be used for ID-less and passwordless authentication, providing a frictionless end user experience.

Figure 1: Example of extending Keycloak with IBM Security Verify

Keycloak users can download and place the extensions into their Keycloak instance to gain access to IBM Security Verify Extensions for authentication flows. In the case for Email and SMS second factor authentication, Verify provides all the necessary infrastructure that Keycloak users would otherwise have to configure themselves, including SMTP and SMPP servers, as part of the Verify as a service experience. This greatly increases time to value.

Using QRCode as an example, Keycloak users can easily configure ID-less and passwordless experiences natively within Keycloak to provide a more secure and frictionless authentication experience. All Keycloak users need to do is create an API client with IBM Security Verify, drop the extensions in their Keycloak deployment, and configure a QRCode authentication flow.

Figure 2: Example authentication flow with IBM Security Verify (QRCode)

IBM Security Verify provides administrators with visibility and analytics into authentication events when its extensions are used with Keycloak. This provides administrators the ability to detect where users are authenticating from, determine and see any potential anomalies by being able to drill down into each event, and more. The resulting reports may be used for auditing and compliance purposes.

Figure 3: Example Authentication activity view

Advanced authentication and frictionless experiences can be added to Keycloak deployments in just 20 minutes:

  1. Create a free Verify tenant
  2. Download the extensions and drop them into a Keycloak deployment
  3. Configure desired authentication flows

The user guide contains detailed information on installation and usage.

Additional information can be found in the IBM Security GitHub.


*IBM Security Verify is an identity as a service (IDaaS). It provides full end to end identity and access management capabilities spanning across single sign (SAML, OIDC, and other authentication/authorization flows), multi factor authentication, adaptive access, identity governance and administration, and analytics. Verify protects applications that are deployed across multiple clouds and is an out of the box highly available service.