Third party resources

The customization of the deployment might require additional files. This is made possible in Cloud-IAM, through the third party resources.

Concept

Third party resources can be uploaded to Cloud-IAM storage through the API (create a service account to use Cloud-IAM REST API). The files are gathered during the deployment and installed on each Keycloak nodes.

However, depending on the third party resource type, additional behaviour can be added.

INFO

As third party resources can contain sensible data, they are stored in a crypted way in the Cloud-IAM infrastructre

Accessibility

Cloud-IAM Console

To manage thirds parties from the console, go on a deployment, click on Configuration tab and scroll to the Third parties section:

Cloud-IAM API

The API helps you to manipulate the resources.

Resources can be added, updated and deleted.

shell

$ DEPLOYMENT_ID=df47bd9a-f416-4bd1-a2a9-6fc17b41c004
$ TOKEN=$( get-token )
$ curl -X POST -F content=@/tmp/mTLS.pem -H "Authorization: Bearer $TOKEN" \
       https://api.cloud-iam.com/deployments/${DEPLOYMENT_ID}/third-parties/mTLS/

$ DEPLOYMENT_ID=df47bd9a-f416-4bd1-a2a9-6fc17b41c004
$ TOKEN=$( get-token )
$ curl -X POST -F content=@/tmp/mTLS.pem -H "Authorization: Bearer $TOKEN" \
       https://api.cloud-iam.com/deployments/${DEPLOYMENT_ID}/third-parties/mTLS/

Trusted-certificates

Overview trusted certificates

If you need to connect the deployment with an external services, the Keycloak server checks that the connection to it is properly secured with a valid certificate.

In case the service is protected with a self-signed certificate or so, you'll need to declare this certificate as trusted.

This is done via a third-party resource of the trusted-certificates type. All the certificates are added to the truststore of Keycloak and will be trusted.

TIP

Untrusted certificates usually generate this kind of stacktrace:

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
    at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
    at sun.security.validator.Validator.validate(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
    ... 20 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
    at java.security.cert.CertPathBuilder.build(Unknown Source)
    ... 26 more

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
    at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
    at sun.security.validator.Validator.validate(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
    ... 20 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
    at java.security.cert.CertPathBuilder.build(Unknown Source)
    ... 26 more

Manage trusted certificates

To upload a trusted certificate, click on Upload trusted certificate file and select a .pem file:

TIP

Make your management easier by using versions.

For example, instead of uploading a file named demo.pem, name it demo-1.0.0.pem.

This is useful for you so that you can find your way around easily and it's useful for our support when we need to work on your deployments.

From trusted certificates section it is also possible to:

Download the current version on your local machine
Replace it by another version
Remove it from the list

Password-blacklists

Overview password blacklists

Password complexity remains one of the key to keep the user's identity safe. Keycloak offers various configuration to ensure minimum requirements regarding the user passwords. A good security practice is to forbid several passwords that are known to be unsafe because of there weakness or because they leaked.

Activate the predefined list provided by Cloud-IAM

Cloud-IAM provide on each Keycloak deployments a predefined list of the top 10.000 worst passwords, that can be activated by customer.

Access to your Keycloak
Select the realm which will contain the password blacklists
Click on Authentication
Select Policies
Then click on Password Policy
From the drop-down list select Password Blacklist
Register this following list titletop-10000.txt
Then click on Save

You have now enabled the predefined password blacklists list provided by cloud-IAM

Keycloak Console - Predefined list provided by Cloud-IAM

Add your own password blacklists

You can add your own password blacklists, to do this you must:

Step 1 - Upload your list on Cloud-IAM

Connect to Cloud-IAM console
Select the deployment
Go to Configuration and scroll down until Password deny list section
Click on Upload password deny list file and select your .txt list
Click on OK to validate the correct file
Copy the name of your list (for example password-deny-list-demo.txt)

Cloud-IAM Console - Upload your list on Cloud-IAM

Step 2 - Activate your list on Keycloak

Access to your Keycloak
Select the realm which will contain the password blacklists
Click on Authentication
Select Policies
Then click on Password Policy
From the drop-down, select Password Blacklist
Past your list name (for the example password-deny-list-demo.txt)
Then click on Save

You have now enabled your own password blacklists.

From Password deny list section it is also possible to:

Download the current version on your local machine
Replace it by another version
Remove it from the list

mTLS

Overview mTLS

Adding a third party resource of type mTLS is necessary to enable the mTLS support in Keycloak. There can be only one file of that type. However, it can contain multiple chains that will be used for setting up the mTLS.

Please read our documentation about configuring the certificate authentication in the realm authentication flow.

Manage mTLS

WARNING

This feature are in active development, please contact us at support@cloud-iam.com

Third party resources ​

Concept ​

Accessibility ​

Cloud-IAM Console ​

Cloud-IAM API ​

Trusted-certificates ​

Overview trusted certificates ​

Manage trusted certificates ​

Password-blacklists ​

Overview password blacklists ​

Activate the predefined list provided by Cloud-IAM ​

Add your own password blacklists ​

Step 1 - Upload your list on Cloud-IAM ​

Step 2 - Activate your list on Keycloak ​

mTLS ​

Overview mTLS ​

Manage mTLS ​