6.9. Keycloak configuration#

This section outlines practical use cases for integrating Keycloak as an identity provider within Nubus for Kubernetes. It addresses DevOps engineers, system engineers, system administrators, and developers who are responsible for configuring authentication and identity management in Nubus for Kubernetes.

Through real-world scenarios, this section demonstrates how to adapt the Nubus for Kubernetes configuration to meet different authentication needs, helping you apply these solutions directly in your own infrastructure.

6.9.1. Multi-factor authentication for Keycloak#

Keycloak provides a multi-factor authentication (MFA) option. Another name is two-factor authentication (2FA), as configured in Keycloak, but for simplicity this section uses the generic term MFA.

MFA is an authentication method that grants users access to a service after they sign in with a password and a one-time password OTP. Third-party OTP password generators randomly generate the OTP. Such password generators are, for example, FreeOTP, 2FAS or Google Authenticator.

MFA increases the protection for user data, because users need to provide two pieces for authentication:

  1. Knowledge through a password.

  2. Ownership through something in the user’s possession, such as the OTP.

MFA also increases the security of the system by avoiding account locking on known accounts because of malicious attacks.

After you activate MFA for a group of users, Keycloak asks those users for their OTP on each login. To activate or deactivate MFA for a user group, follow the instructions in the next sections

See also

Multi-factor authentication - Wikipedia

for more information about multi-factor authentication.

6.9.1.1. Activate MFA for domain administrators#

To simplify the configuration process, you need to edit your custom_values.yaml file to enable MFA, as outlined in the following steps:

  1. To activate MFA in Keycloak, add the lines in Listing 6.22 to your custom_values.yaml values file.

    The configuration uses the following values:

    Listing 6.22 Enable multi-factor authentication for domain administrators#
    nubusKeycloakBootstrap:
      bootstrap:
        twoFactorAuthentication:
          enabled: "true"
          group: "Domain Admins"
    
  2. To apply the configuration, follow the steps in Apply configuration.

6.9.1.2. Deactivate MFA for domain administrators#

Note

You enabled MFA through the values listed above in custom_values.yaml. However, removing these entries does not fully disable MFA, because enabling it makes persistent changes within the system. To completely deactivate MFA and revert these changes, you must perform manual steps.

To deactivate MFA, you need to remove values listed above in custom_values.yaml and remove the role 2FA role from the group in Keycloak, as outlined in the following steps:

  1. To sign in to the Keycloak Admin Console, use your web browser and navigate to the following URL scheme: https://id.$(global.domain)/admin. The value in global.domain completes the FQDN of the URL.

    Example:

    https://id.nubus.example.com/admin, where nubus.example.com is the value in global.domain.

  2. In the Keycloak Admin Console, navigate to realm nubus.

  3. Select Groups and choose Domain Admins in the list.

  4. On the tabs, navigate to Role Mappings.

  5. Next to 2FA role click the three dots and hit Unassign.

  6. Confirm the dialog by clicking Remove.