This project is demonstrating how to setup authentication, authorization and access control using a brokerage. With a brokerage the authentication will be delegated to an upstream idp.

• Authentication is happening using a keycloak with this realms
  • upstreamidp1 for user base 1
  • upstreamidp2 for user base 2
• Authorization is happening using
  • keycloak-proxy which is protecting the access to an example application
• Access Control is happening using a keycloak which acts a a broker. it is in charge of
  • defining the roles for dedicated users.

• some linux distribution like Arch Linux or Debian
• docker
• docker-compose
• cfssl

The used components are used as docker container and will be started using docker-compose:

• traefik
• caddy
• postgresql
• keycloak
• keycloak
• keycloak-gatekeeper
• httpbin

The overall architecture looks like this:

These roles are known

• application user - authenticates and is using the application
• security account manager - manages accounts in IAM systems
• security role manager - manages the roles in the broker
• developer - has developed the application and is the defining the policies for an authorization

Add necessary host entries to /etc/host file

127.0.0.1       debug.aaa.demo
127.0.0.1       app.aaa.demo
127.0.0.1       api.keycloak.aaa.demo mgmt.keycloak.aaa.demo

Run ./start.sh

It starts several services:

1. postgres database
2. keycloak with 4 realms https://api.keycloak.aaa.demo
3. keycloak-gatekeeper https://app.aaa.demo with protects the demo application
4. demo application
5. httpbin for debugging https://debug.aaa.demo
6. traefik as a lightweight loadbalancer

1. Access http://app.aaa.demo. You will be redirected to the Broker
2. Login directly at the broker or at another upstream idp. You are logged in and will be redirected back to the demo application

1. Access http://api.keycloak.aaa.demo.
2. login with admin user from Keycloak Master
3. Go to "Manage Users" on left menu
4. Select a user and click the button edit
5. Go to roles tab

• admin / 11111111

• brokeruser1 / brokeruser1

• idp1user1 / idp1user1

• idp2user1 / idp2user1

• Keycloak Broker SAML SP Descriptor URL for Upstreamidp1
  • https://api.keycloak.aaa.demo/auth/realms/broker/broker/broker-upstreamidp1-saml/endpoint/descriptor
• Keycloak Broker SAML SP Descriptor URL for Upstreamidp2
  • https://api.keycloak.aaa.demo/auth/realms/broker/broker/broker-upstreamidp2-saml/endpoint/descriptor
• Keyclaok Upstreamidp1 SAML IDP Descriptor URL
  • https://api.keycloak.aaa.demo/auth/realms/upstreamidp1/protocol/saml/descriptor
• Keyclaok Upstreamidp2 SAML IDP Descriptor URL
  • https://api.keycloak.aaa.demo/auth/realms/upstreamidp2/protocol/saml/descriptor