IDM Europe 2018: WSO2 Identity Server vs. Keycloak (Dmitry Kann)

00:05

ladies and gentlemen American freelance

00:09

full-stack developer into solutions is

00:13

basically my sole proprietorship company

00:16

and currently working at Netherlands

00:18

Paul way which is natural ways I have

00:25

quite some experience with the product

00:28

of W as Oh - from my previous client

00:33

which was one of Dutch ministries and

00:36

this product is popular with Dutch

00:40

government so yeah let's first start

00:45

with the concept of an identity so a

00:50

girl who is here familiar with this term

00:54

okay so not much yeah

00:58

for the rest I would explain it in a

01:01

very deep in the Annika way it's

01:05

imaginary of a bunch of users in the

01:09

organization and you have multitude of

01:12

applications most of which you didn't

01:14

develop and you need to link ones to the

01:18

others and well you can imagine that it

01:23

involves a lot of things like role

01:26

management permission management people

01:28

moving in and out of your organisation

01:30

people move into different department

01:33

which also imposes their permissions and

01:37

you want ideally to manage this all

01:41

centrally so this is exactly when an

01:45

identity server comes in handy

01:51

well that's exactly the thing that

01:53

allows you to manage the list of people

01:59

users and roles in a centralized way it

02:03

also takes over authentication requests

02:04

and login request so providing some kind

02:06

of user interface for logging in and for

02:10

other things which we all see you later

02:12

and well I can assure that it entails a

02:17

lot of things so you can expect that

02:21

such a component would need to implement

02:25

a bunch of protocols on a technical side

02:28

all the things on the left you have two

02:32

major single sign-on protocols like some

02:34

o2 and open ID connect you have things

02:39

like one-time passwords multi step

02:42

authentication you need to integrate

02:45

probably with other identity providers

02:47

but at the same time you also need to

02:50

comply with the things on the right

02:53

so the infamous GPS gdpr which came into

02:57

effect recently in Europe in other

02:59

territories you need to comply with

03:01

local legislation as well you need to

03:05

manage user concerns to things like

03:06

terms and conditions and this whole

03:09

thing needs to be auditable as well

03:11

because what we are giving people access

03:13

to some critical parts of your

03:15

infrastructure and that's not all

03:19

because he also needs to implement some

03:22

useful functionality for users like

03:25

resetting forgotten passwords periodic

03:29

password change account administration

03:32

so on

03:34

so yeah if you think of it as an

03:36

enormous task but there's good news you

03:43

have two options for just reusing which

03:49

again you can choose from just pick it

03:51

up and two open source projects which

03:56

key clock and W so two identity server

03:59

widely adopted Enterprise great Identity

04:02

Management solutions so let's have a

04:05

closer look at them let's start off with

04:10

some basic information about these two

04:11

products

04:12

key clocks currently being developed by

04:14

JBoss which is a division of Red Hat and

04:17

W so2

04:20

a dentist or is being developed by well

04:22

W so to both our American corporations

04:27

key clock is first release of 2014 which

04:32

is bit younger than W so - from 2008

04:36

that's at least the information I

04:38

managed we both are redistributed under

04:42

the terms of apache license 2.0 which

04:45

has pitted unrestrictive and allows for

04:47

commercial use both are written in java

04:50

and both run on some middleware which is

04:53

wild fly in case of key clock or that

04:55

was to carbon case of the aryan - server

05:01

if you plan to use software for a

05:04

business you will definitely consider

05:06

the commercial support option and well

05:11

the thing is a geek lock is as a

05:13

community version of a paid Red Hat

05:16

product called our age SSO and you can

05:21

only get commercial support for that one

05:22

the prices start at eight thousand

05:24

dollars per year and the community

05:28

version never gets patched

05:30

unfortunately for wso - you can buy

05:34

product just for the identity server but

05:36

it is a bit more costly about 20k per

05:40

year euros which I give updates and

05:43

incident support otherwise the community

05:47

version doesn't get patches either and

05:53

if you're interested in trying these

05:54

things out it's extremely easy in terms

05:57

of if you want to try key clock out you

06:01

just need a single docker command which

06:03

is from the screen for w so -

06:08

unfortunately you don't find public

06:11

docker registries but you can download

06:13

the binary package and install it which

06:16

is not that difficult either so the rest

06:22

of my presentation will be comparing

06:24

functionality one by one on the

06:28

topics displayed here that's the one

06:30

that I picked that yeah just just the

06:33

very basics of it and let's start these

06:37

users and drones it's a fundamental

06:39

concept to identify and obviously it's

06:42

well supported by both of them key clock

06:45

also has the notion of groups which

06:51

allow you to assign attributes to

06:55

multiple users next one up is user

06:59

stores a user store is a component that

07:04

allows you to persist users and roles

07:07

and both servers out-of-the-box

07:13

configured to use the embedded h2

07:16

database but they both discourage you

07:22

from using that in production key cloak

07:25

offers only one persistence option and a

07:27

single data source wso to allows you to

07:31

configure as many data sources as you

07:33

like and you can mix and match basically

07:36

various units such as LDAP or even

07:39

another identity server for persistence

07:44

mmm single sign-on that's one of the

07:47

main reasons probably you want an

07:49

identity server because it allows user

07:52

to authenticate only once and get access

07:54

to multiple applications relying on it's

07:56

over both SSL protocols are well

08:00

supported by these two products however

08:04

does some terminology difference key

08:09

cloak cause they're lying

08:12

applications clients and wso to cause

08:15

them service providers that's

08:16

essentially the same thing attribute

08:22

mapping that is something that you would

08:25

need if you have diverse applications

08:28

because different applications call the

08:31

same things differently like last name

08:34

surname so for that purpose you might

08:37

want to map some user attributes

08:39

two different entities and it's all

08:43

supported by both of them identity

08:48

Federation is a slightly more complex

08:51

topic

08:52

it means relying on another identity

08:55

provider for for example another

08:58

identity server for authenticating

09:01

your users so we are all familiar with

09:05

things like social logging via Facebook

09:08

or Twitter that's exactly and they had

09:10

into Federation both service do support

09:15

external Venki providers including

09:18

social ones but wso - allows you to

09:23

configure them in a slightly more

09:25

flexible way per application identity

09:33

provisioning next one up in simple terms

09:37

that into provision means creating users

09:39

on the fly as they are authenticated and

09:42

it comes in two flavors it's either in

09:45

both outbound inbound meaning you create

09:48

users locally after they're

09:50

authenticated externally outbound

09:52

meaning you create users elsewhere after

09:58

they're authenticated locally

10:01

Kiko only supports the first flavor and

10:04

double so two supports both variants of

10:10

user provisioning you can configure this

10:14

per application and it also has support

10:18

for the scheme protocol which is a

10:20

system for cross domain identity

10:22

management multi-tenancy multi-tenancy

10:30

is a bit controversial way of creating

10:32

virtual identity servers within a single

10:35

server instance while the main reason

10:38

why you would want to have such setup is

10:42

cheaper implementation both servers do

10:45

support this mechanism although key

10:48

cloak cost Amri arms and

10:51

there was a to call some tenants he clog

10:57

also allows you to bit more easily

11:01

manage your different tenants because

11:04

with wz2 you need to log in a standard

11:08

element every time you need to make

11:09

changes to that talents next one up is

11:16

one-time passwords it's a well-known

11:19

security enhancement that you can

11:21

implement and it's often a part of a

11:23

multi step authentication flow which I

11:26

will show in the next slide both servers

11:30

support time based passwords

11:34

however w2 does not support counter

11:37

based passwords both support Google

11:40

Authenticator which is basically a

11:44

standard time based password

11:46

implementation and the w2 also allows

11:50

you to send the generated passwords via

11:52

SMS or email and the next building block

11:59

the last building block basically that's

12:01

multi step authentication multi step

12:05

authentication is used for two purposes

12:08

it's either enhancing security just like

12:13

the one-time passwords as I just

12:15

mentioned or you can impose specific

12:18

actions on the user such as password

12:20

update after the after the user logs in

12:24

so the multi notation of key clock is a

12:26

bit limited the only security

12:28

enforcement here is one-time password

12:30

and the rest is just a set of some

12:35

predefined actions that you can mandate

12:37

the user to execute and the flows in W

12:41

so to are extremely flexible so you can

12:44

basically cook up any imaginable

12:46

sequence of steps but it comes at the

12:51

price of some complexity

12:55

so yeah let's summarize what we've seen

12:59

so far my conclusion says that key clock

13:02

is a bit easier to configure it's a bit

13:07

more user friendly and has more modern

13:11

UI it's also cheaper in terms of

13:15

commercial support wso 2 is much more

13:19

involved in terms of installation and

13:21

configuration requires much more

13:23

knowledge to be able to do things

13:26

properly it's quite pricey and well I

13:31

believe it can offer just about anything

13:34

in terms of functionality so if your

13:39

application landscape is very diverse in

13:41

complex I would choose the wso 2 product

13:45

and otherwise I was just go with key

13:48

clog yeah so that's about it thank you

13:54

for attention

14:00

you