Enforce your Admin Account Security

Overview

Administrative accounts have elevated privileges and access to sensitive configurations in Keycloak. Securing these accounts is critical to prevent unauthorized access, privilege escalation, or compromise of your identity management infrastructure.

Keycloak provides built-in features such as strong password policies, multi-factor authentication (MFA), and brute force detection to protect admin accounts.

Use Case

IAM

For internal Identity and Access Management (IAM), securing admin accounts prevents accidental or malicious changes to internal systems, policies, and employee accounts.

CIAM

In customer-facing applications, protecting admin accounts safeguards user data, configurations, and authentication workflows from unauthorized modifications.

Pros & Cons

Pros

• Enhanced Security: Reduces the risk of unauthorized access to Keycloak admin functions.
• Compliance: Supports regulatory requirements for privileged accounts.
• Auditability: Enables tracking of sensitive admin operations.

Cons

• Increased Complexity: MFA and strong passwords may slightly slow login.
• Device Requirements: Admins must have access to MFA devices or apps.

Supported by Keycloak

Yes, natively supported and configurable on Managed Keycloak by Cloud-IAM.

Configuration

Create your Admin account and Remove the default Admin account

Create your personal account in the Master realm

1. Login in to Keycloak using the default Admin user
2. Select the Master realm
3. Navigate to the User section
4. Select Add user
5. Fill in your personal details (email, first name, last name)
6. Then Click on Create

Keycloak admin console - Create your personal account on Master realm

Register your future credential

1. Go to Credentials tab
2. Click on Set Password
3. Choose a strong, unique password for your admin account:
   • At least 12 characters long
   • Random combination of letters, numbers, and symbols
   • Avoid common words, names, or reused passwords
4. Uncheck the Temporary toggle
5. Click Save and Save password to confirm the password
6. Verify that the new password appears on the list

Keycloak admin console - Register your future credential

Always Keep an Admin Password

At least one admin account should always retain a locally managed password. Keeping a local admin password ensures that you can always access your Keycloak Master realm, even during external service interruptions.

Relying solely on external Single Sign-On (SSO) providers may prevent access if the external service experiences downtime or if there is a misconfiguration during setup.

Assign to your new personal account admin role

1. Go to Role mapping tab
2. Click on Assign role
3. Click on Filter by realm role
4. Select admin - role_admin
5. Then click Assign the admin role
6. You can now log out from the default Admin user account

Keycloak admin console - Assign to your new personal account admin role

Delete default Admin User

1. Log in with your new personal admin account
2. Navigate to the Users section
3. Find the default admin user, click the ... menu
4. Select Delete then Delete to confirm

You have now created your own admin account and removed the default admin account.

Keycloak admin console - Delete default Admin User

Create another admin account

For secure and resilient access management, it is strongly recommended to maintain at least two admin accounts in your Keycloak. This ensures continuity and control if one administrator loses access to their account, preventing potential lockouts and maintaining operational security.

Resources

• Deploy my Keycloak on Cloud-IAM
• Keycloak Official Documentation – Authentication & Security
• ANSSI Guide – Securing Privileged Accounts