1. HOME
  2. What's New
  3. Supporting Multi-Factor Authentication and Single Sign-On with In-house Identity Provider (Part 1)

What's New

Some contents are available in Japanese only.

Tech Blog

Supporting Multi-Factor Authentication and Single Sign-On with In-house Identity Provider (Part 1)

Creating My IdP with Keycloak and FreeIPA

In this blog, we will show you how to build an in-house Identity Provider (IdP) by integrating Keycloak with FreeIPA’s LDAP function. We will also show that Keycloak can provide One Time Password (OTP) and FreeIPA authentication functions that enable Multi-Factor Authentication (MFA) and Single Sign-On (SSO).

Introduction

XTREME-D’s products rely on conventional HPC architecture and multiple web services. However, when using multiple web services it is very cumbersome to perform an authentication process if each service has its own authentication. Therefore, if we could unify authentication using an SSO, ID management would become much easier and more convenient. In addition, we’d be able to strengthen the security of the initial authentication itself using MFA.

As for Identity Management (IdM), it is preferable to use LDAP, which we have been using for a long time. In particular, we use many command line tools to support HPC environments, and these tools need to be linked with LDAP Linux authentication. Therefore, a continued use of the existing LDAP is a prerequisite.

In summary, the following three items need to be supported:

  • SSO
  • Enhanced security with MFA
  • LDAP for directory services (just like before)

Let’s look at how these items can be supported and coexist.

Goals

In order to achieve the above requirements, we will build an in-house IdP using Keycloak and FreeIPA, such that both OSS and LDAP functions are supported. This will allow us to implement both MFA and SSO. What I mean by “in-house” here is that we will not use an externally-managed service, but manage OSS and everything else by ourselves.

Below is a diagram of this vision:

  • The Service Provider (SP) accesses Keycloak and performs authentication in cooperation with FreeIPA
  • OTP functionality is provided by Keycloak for implementing MFA
  • After authentication, a single sign-on to other SPs is performed with Security Assertion Markup Language (SAML) assertions

The steps taken to achieve these goals, along with test results, will be covered in upcoming Tech Blog articles:

  • Overview of the test environment (this blog)
  • How to build an in-house IdP using Keycloak and FreeIPA (LDAP)
  • How to set up MFA
  • How to implement SSO to JupyterHub/Lab

Overview of Test Environment

Configuration

All of the components of the test environment were built using Amazon EC2 instances. As mentioned above, if you are going to use AWS in your production environment, it is best to use managed services as well as EC2 as much as possible in order to improve availability.

The role of each server in the test environment is shown below:

  • Identity Provider
    • Keycloak: Provides SSO and OTP functions
      • Links to PostgreSQL as an internal database
      • Uses LDAP sync to link to FreeIPA or use Systems Security Services Daemon (SSSD) link
    • FreeIPA: Provides identity function (LDAP) and password authentication function
      • A test user must be created in advance
      • Sample Base DN: dc=sample,dc=com
      • Sample Users DN: cn=users,cn=accounts,dc=sample,dc=com
    • Reverse Proxy: Mediates communication to Keycloak
      • Processes SSL certificate
      • IP address of Reverse Proxy is already registered in Route53 as a record to enable name resolution
  • Service Provider
    We will be running two web services to verify SSO functionality. We plan to use JupyterHub/Lab or WordPress.

Overview of Operation

The system diagram for SSO is shown below. There are two options, SAML2.0 and OpenID Connect (OIDC), and we are going to use SAML 2.0, which has a good track record in many services.

The following five points are important, so please bear with us even if we repeat ourselves:

  • Start from SP1
  • Assuming that Keycloak is built in a private area, it should be accessible via Reverse Proxy in the DMZ area
  • At the time of authentication, the OTP provided by Keycloak should be enabled and used as MFA, together with FreeIPA authentication
  • After authentication, it should be possible to obtain a SAML assertion and SSO to SP2
  • SP1 and SP2 should be interchangeable. In other words, starting from SP2 is also possible.

Summary

This article attempted to provide an overview of the testing environment:

  • We’re trying to build our own IdP with Keycloak + FreeIPA
  • We also try to provide MFA and SSO functionality with it
  • SSO will be tested with SAML 2.0
  • The test environment itself will be built entirely on EC2. Please note that this is not intended for a production environment.
  • For SP, we are planning to use JupyterHub/Lab or WordPress

Next Time

In the next article, we will explain how to build an in-house IdP using Keycloak and FreeIPA. There are two ways to work with FreeIPA, and that will be covered as well.

<About the Author>
Daisuke Nagao is leading the development of AXXE-L as CTO of XTREME-D.
He first engaged with HPC as a user, and he’s since expanded his expertise to encompass cloud, Deep Learning, and AI.
Daisuke plays jazz piano and is always following emerging technologies, even while playing the piano.