6.9. Keycloak configuration#
This section outlines practical use cases for integrating Keycloak as an identity provider within Nubus for Kubernetes. It addresses DevOps engineers, system engineers, system administrators, and developers who are responsible for configuring authentication and identity management in Nubus for Kubernetes.
Through real-world scenarios, this section demonstrates how to adapt the Nubus for Kubernetes configuration to meet different authentication needs, helping you apply these solutions directly in your own infrastructure.
6.9.1. Multi-factor authentication for Keycloak#
Keycloak provides a multi-factor authentication (MFA) option. Another name is two-factor authentication (2FA), as configured in Keycloak, but for simplicity this section uses the generic term MFA.
MFA is an authentication method that grants users access to a service after they sign in with a password and a one-time password OTP. Third-party OTP password generators randomly generate the OTP. Such password generators are, for example, FreeOTP, 2FAS or Google Authenticator.
MFA increases the protection for user data, because users need to provide two pieces for authentication:
Knowledge through a password.
Ownership through something in the user’s possession, such as the OTP.
MFA also increases the security of the system by avoiding account locking on known accounts because of malicious attacks.
After you activate MFA for a group of users, Keycloak asks those users for their OTP on each login. To activate or deactivate MFA for a user group, follow the instructions in the next sections
See also
- Multi-factor authentication - Wikipedia
for more information about multi-factor authentication.
6.9.1.1. Activate MFA for domain administrators#
To simplify the configuration process,
you need to edit your custom_values.yaml
file to enable MFA,
as outlined in the following steps:
To activate MFA in Keycloak, add the lines in Listing 6.22 to your
custom_values.yaml
values file.The configuration uses the following values:
nubusKeycloakBootstrap.bootstrap.twoFactorAuthentication.enabled
nubusKeycloakBootstrap.bootstrap.twoFactorAuthentication.group
nubusKeycloakBootstrap: bootstrap: twoFactorAuthentication: enabled: "true" group: "Domain Admins"
To apply the configuration, follow the steps in Apply configuration.
6.9.1.2. Deactivate MFA for domain administrators#
Note
You enabled MFA through the values listed above in custom_values.yaml
.
However, removing these entries does not fully disable MFA,
because enabling it makes persistent changes within the system.
To completely deactivate MFA and revert these changes,
you must perform manual steps.
To deactivate MFA,
you need to remove values listed above in custom_values.yaml
and remove the role 2FA role
from the group in Keycloak,
as outlined in the following steps:
To sign in to the Keycloak Admin Console, use your web browser and navigate to the following URL scheme:
https://id.$(global.domain)/admin
. The value inglobal.domain
completes the FQDN of the URL.- Example:
https://id.nubus.example.com/admin
, wherenubus.example.com
is the value inglobal.domain
.
In the Keycloak Admin Console, navigate to realm
.Select Groups and choose
Domain Admins
in the list.On the tabs, navigate to Role Mappings.
Next to
2FA role
click the three dots and hit Unassign.Confirm the dialog by clicking Remove.